Microsoft releases security update for new IE zero-day

All I want for Christmas is a new security update to patch a zero day IE exploit …….

Microsoft have today released a new out of band update for an Internet Explorer vulnerability that is currently being abused in the wild. Just in time for all those Admins planning to have some time off and well after any planned change lock out windows have come into effect!

According to a security advisory released, the IE zero-day exploit can allow an attacker to execute malicious code on a user’s computer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user, and we’re all doing the right thing and NOT granting our users Admin rights, aren’t we!!!!!

In a nice move by Microsoft, for all those IT Admins out there half way out the door for the holiday period, and may not have the time to thoroughly test and deploy the latest hot-fix and cumulative update, the security advisory CVE-2018-8653 also contains workarounds for restricting access to the IE scripting engine, until system administrators can deploy today’s official patch.

Workarounds

The workaround provided by Microsoft, is to simply disable user access to the DLL that is affected (jscript.dll), which is not the default JavaScript engine DLL that Internet Explorer uses (Jscript9.dll). The jscript.dll is only called in a specific manner, in this instance a malicious method, so the workaround  should have minimal impact for general use.

Edit (22/12): Workaround modified slightly by Microsoft (added takeown cmd) and republished, updated below.

Edit (20/12): 15:30 AEDST Microsoft have unpublished the suggested workaround.

Restrict access to JScript.dll For 32-bit systems, enter the following command at an administrative command prompt:

	takeown /f %windir%\system32\jscript.dll
	cacls %windir%\system32\jscript.dll /E /P everyone:N

For 64-bit systems, enter the following command at an administrative command prompt:

	takeown /f %windir%\syswow64\jscript.dll
	cacls %windir%\syswow64\jscript.dll /E /P everyone:N
	takeown /f %windir%\system32\jscript.dll
	cacls %windir%\system32\jscript.dll /E /P everyone:N

Impact of Workaround. By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability. This vulnerability only affects certain websites that utilizes jscript as the scripting engine.

How to undo the workaround. For 32-bit systems, enter the following command at an administrative command prompt:

	cacls %windir%\system32\jscript.dll /E /R everyone

For 64-bit systems, enter the following command at an administrative command prompt:

	cacls %windir%\syswow64\jscript.dll /E /R everyone

Leave a Reply