Microsoft has released an emergency patch to fix a critical vulnerability discovered in Internet Explorer. If left unpatched, an attacker could exploit the security hole to remotely execute malicious code on a victim's PC when visiting a compromised website. Listed as CVE-2018-8653, the flaw affects all supported versions of Windows.
"A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user," Microsoft explains.
The vulnerability could also allow an attacker to take full control of a system, if the victim is logged in with administrative rights. After doing so, the attacker could then install malware on the target PC; view, edit, and delete data; and create new accounts with full user rights. As such, it's a pretty serious security hole with dangerous implications.
As is usually the case, common sense computing habits can go a long way towards preventing an infection. In this case, Microsoft explains that a malicious host could create a website that is designed to exploit the vulnerability through IE, then lure victims through phishing emails.
"The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory," Microsoft says.
Anyone who has Windows Update enabled should receive the security patch automatically. To err on the safe side, however, Windows users should manually check for any available security patches through Windows Update and install them, even if not using IE.