Microsoft has identified a vulnerability in Internet Explorer and is delivering an update today to close a remote code execution hole.
CVE-2018-8653 | Scripting Engine Memory Corruption Vulnerability
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The update is now available through Microsoft Update and from the following link:
The vulnerability exists in all current versions of Internet Explorer including 9, 10, and 11 on Windows 10, Windows 8.1, Windows 8.1 RT, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008.
Microsoft is looking to minimize the effort it has to put forth for supporting products and services that are no longer viable. In a post to the company’s Answers forums, the following list of products will no longer be supported for online help…
- Windows 7, 8.1, 8.1 RT
- Microsoft Security Essentials
- Internet Explorer 10
- Office 2010, 2013
- Surface Pro, Surface Pro 2, Surface RT, Surface 2
- Microsoft Band – this topic will be locked. Users are invited to participate in Microsoft Band 2 topic.
- Mobile devices forum – Microsoft support will continue in “Other Windows mobile devices” topic
- Zune – this topic will be locked, but will remain available for browsing
These changes will take effect in July.
Full announcement: Product support forum changes on Microsoft Community
Looking for an awesome, no-nonsense technical conference for IT Pros, Developers, and DevOps? IT/Dev Connections kicks off in Dallas, Texas in 2018!
When the Fall Creators Update for Windows 10 delivers, Microsoft will be disabling VBScript support for Internet Explorer 11 by default. Those in the Windows 10 Insiders program can experience that today. The latest Insider’s build has the change implemented.
Microsoft is promising to bring that same change to earlier, supported versions Windows through a cumulative security update. The setting will still be able to be manipulated through the registry and through Group Policy, but organizations should start planning now to test to ensure (those that are still utilizing Internet Explorer 11 instead of Chrome or Edge), corporate critical applications will still function.
Blog post announcement: An update on disabling VBScript in Internet Explorer 11
Looking for an awesome, no-nonsense technical conference for IT Pros, Developers, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!
Microsoft’s promise in April 2016 to better protect customers against older security methods, will go in effect on February 14, 2017.
According to a blog post reminder…
Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Though we strongly discourage it, users will have the option to ignore the error and continue to the website.
The blog post also provides a FAQ section which includes:
- How can I test if my site will be impacted?
- How will other Windows applications and older versions of Internet Explorer be impacted?
- How will SHA-1 client authentication certificates be impacted?
- What about cross-signed certificates?
Looking for an awesome, no-nonsense technical conference for IT Pros, Devs, and DevOps? IT/Dev Connections kicks off in San Francisco in 2017!