vSOC SPOT Report: IE – Scripting Engine Memory Corruption Vulnerability
Posted by: GuidePoint Security
Overview
On December 19th, 2018 Microsoft released a zero-day patch for a vulnerability that impacted multiple Internet Explorer versions within all platforms. The vulnerability could potentially allow a remote code execution attack on the scripting engine that handles objects within Internet Explorer and giving the attacker the same rights as the user logged into the system.
Technical Overview
A remote code execution attack can be performed within IE’s memory handling of a file called Jscript.dll which would allow an attacker to corrupt a portion of IE’s memory that could allow code to be executed into the affected system. By exploiting this particular vulnerability an attacker would gain the same rights as a user, but could provide the attacker a pivot point into the environment
The vulnerability was disclosed to Microsoft by the Google Threat Analysis team member Clement Ligne and is assumed to being exploited in the wild with the suggestion from many organizations to patch immediately based on the severity of the vulnerability (CVSS of 7.5 at the vulnerabilities highest rating)
Potential Impact
If an attacker is able to exploit remote code execution on a user’s vulnerable browser then they would be able to gain the same rights as the user logged in, which means by limiting the access users have to the Operating System can assist in mitigating the impact of this vulnerability though even with limited access the attacker can still use the system as a potential pivot point within the network.
What You Should Do
Currently all versions of IE on all in-life servers and workstations is considered vulnerable and it is recommended to patch as soon as possible, due to vulnerability already being exploited in the wild, but if your organization is unable to patch due to end-of-year freeze or due to the holiday then it is recommended to implement the following work-around provided by Microsoft:
Restrict access to JScript.dll For 32-bit systems, enter the following command at an administrative command prompt:
cacls %windir%\system32\jscript.dll /E /P everyone:N
For 64-bit systems, enter the following command at an administrative command prompt:
cacls %windir%\syswow64\jscript.dll /E /P everyone:N
Impact of Workaround.
By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability. This vulnerability only affects certain websites that utilizes jscript as the scripting engine.
How to undo the workaround.
For 32-bit systems, enter the following command at an administrative command prompt:
cacls %windir%\system32\jscript.dll /E /R everyone
For 64-bit systems, enter the following command at an administrative command prompt:
cacls %windir%\syswow64\jscript.dll /E /R everyone
Supporting Information
- https://www.tenable.com/blog/microsoft-releases-out-of-band-patch-for-internet-explorer-remote-code-execution-vulnerability
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653?ranMID=43674&ranEAID=je6NUbpObpQ&ranSiteID=je6NUbpObpQ-rTSgqR0mdVwYZBf_O29Pyg&epi=je6NUbpObpQ-rTSgqR0mdVwYZBf_O29Pyg&irgwc=1&OCID=AID681541_aff_7795_1243925&tduid=(ir__g1yk6qvyzzvhuwoownzjkp0w0m2xhkgsahsodz3f00)(7795)(1243925)(je6NUbpObpQ-rTSgqR0mdVwYZBf_O29Pyg)()&irclickid=_g1yk6qvyzzvhuwoownzjkp0w0m2xhkgsahsodz3f00
- https://www.zdnet.com/article/microsoft-releases-security-update-for-new-ie-zero-day/
GuidePoint Security