Microsoft delivers emergency patch for under-attack IE

The company issued a rare emergency security update to fix a zero-day vulnerability – reported by a Google security engineer – in the still-supported IE9, IE10 and IE11.

Gregg Keizer Dec 20th 2018
Microsoft_delivers_emergency_patch_for_under-attack_IE.jpg

Microsoft rarely mentions Internet Explorer (IE) anymore, but when it does, it usually means bad news.

So it was Wednesday, when Microsoft issued a rare emergency security update to plug a critical vulnerability in the still-supported IE9, IE10 and IE11. The flaw was reported to Microsoft by Google security engineer Clement Lecigne.

The update was issued to Windows 7, 8.1 and 10 - the latter with patches for versions 1607 and later - as well as Windows Server 2008, 2012, 2016 and 2019. (Updates for some versions of Windows 10 - 1607 and 1703 - were available only to Windows 10 Enterprise and Windows 10 Education.)

"A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer," Microsoft stated in the CVE-2018-8653 support document. "The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user."

The vulnerability could be exploited simply by drawing users running IE9, IE10 or IE11 to a malicious website, perhaps with a phishing email.

Microsoft demoted IE to legacy status in early 2016; although the firm promised to continue patching the browser's vulnerabilities, it stopped improving or enhancing it. The only reason Microsoft still serviced IE was so business users of Windows 7, 8.1 and 10 could continue to run custom web apps and aged intranet sites. The future, Microsoft has said time and time again, is Edge, which runs only on Windows 10.

In November, IE accounted for just 9.6% of global browser user share, as measured by analytics vendor Net Applications, and approximately 11% of all Windows PCs. Those numbers masked a more serious problem: In the preceding 12 months, IE lost one-fifth of its users, an unsustainable rate of decline.

The IE security fix will be automatically offered, downloaded and installed on most unmanaged Windows PCs.