Microsoft Releases Emergency Security Update for Actively Exploited Vulnerability

[cageymaru]

Microsoft has released an emergency security update to patch an actively exploited vulnerability in Internet Explorer. CVE-2018-8653 addresses a remote code execution vulnerability caused by the way the scripting engine handles objects in Internet Explorer. The exploit corrupts memory in such as way that an attacker can execute arbitrary code in the context of the current user. The attacker will have the same rights as the current user. If the user is logged in as an administrative rights user then the attacker can change, delete, install, create new accounts or view any data that they wish. Web-based attackers can create a website designed to trigger the exploit. I ran Windows Update and it installed the update in a few seconds.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

 

[brogers]

That's no good, my company is still heavily reliant on IE11 because we use Oracle EBS r12.

 

[Nenu]

Only Windows 10?

 

[ManofGod]

Thanks for the heads-up.

 

[ManofGod]

Only Windows 10?

It is an IE risk so probably not.

 

[trparky]

Only Windows 10?

Nope, it affects everything going back to Windows 7.

 

[Jim Kim]

. I ran Windows Update and it installed the update in a few seconds.

Thats all fine and dandy, but aren't they recommending we don't run WUp, or are we not supposed to hit the check for updates ( like you were always supposed to do with previous versions of Windows.)
https://www.howtogeek.com/369656/do...-unless-you-want-unstable-windows-10-updates/

 

[cageymaru]

Thats all fine and dandy, but aren't they recommending we don't run WUp, or are we not supposed to hit the check for updates ( like you were always supposed to do with previous versions of Windows.)
https://www.howtogeek.com/369656/do...-unless-you-want-unstable-windows-10-updates/

I like my security so I run it manually.

 

[EchtoGammut]

I read this post while in the office, I was thinking I should probably log into Intune and push out the update and right at that moment I saw one my employees' computers rebooting and applying an update out of the corner of my eye. So much for having to approve updates.

 

[piscian18]

OH thank god, I hope they patch netscape soon.

 

[Hallucinator]

1.4 GB Cumulative Update for Windows 10 LTSC 1607 x64 just to patch IE11?

oO

Okkayy... here it goes - downloading it now.

 

[clockdogg]

52 Megs just to patch IE11 on Win7x64?!

Does this exploit work if one never uses IE11 for anything on the web or is it self-contaminating just sitting on the disk?

 

[risc]

52 Megs just to patch IE11 on Win7x64?!

Does this exploit work if one never uses IE11 for anything on the web or is it self-contaminating just sitting on the disk?

Many Windows programs use IE to display http content, e.g. Steam.

Without running IE directly you could inadvertently run malicious code which uses this exploit.

 

[B00nie]

IE has damaged windows users more than any other program most likely.

 

[Spidey329]

That's no good, my company is still heavily reliant on IE11 because we use Oracle EBS r12.

Oracle and their outdated systems. I remember when my University switched their student system to them, took years for them to get things working correctly in non IE browsers (which at the time, was just about every student). So ridiculous.

 

[naib]

IE has damaged windows users more than any other program most likely.

Oh I don't know, I think windows_update.exe has that crown

 

[katanaD]

I read this post while in the office, I was thinking I should probably log into Intune and push out the update and right at that moment I saw one my employees' computers rebooting and applying an update out of the corner of my eye. So much for having to approve updates.

and that right there is one of the issues i have with win10 updates. That, and you cannot reboot a computer without installing updates

 

[Jim Kim]

I read this post while in the office, I was thinking I should probably log into Intune and push out the update and right at that moment I saw one my employees' computers rebooting and applying an update out of the corner of my eye. So much for having to approve updates.

un fucking believable

 

[naib]

https://mspoweruser.com/surprise-emergency-ie-patch-preventing-some-pcs-from-booting/

Surprise! Emergency IE patch preventing some PCs from booting

 

[HAL_404]

yuppers, was wondering what the update an evening to two ago was about

 

[ManofGod]

https://mspoweruser.com/surprise-emergency-ie-patch-preventing-some-pcs-from-booting/

Surprise! Emergency IE patch preventing some PCs from booting


View attachment 129696

I actually took the time to read the article and not the usual MSPOWERUSER click bait title. "Some PCs"? You mean some specific Lenovo laptops with less than 8GB of ram, Secure boot enabled and possibly using Bootlocker. In other words, someone neglected to make their machines properly secure and now it is coming back to bite them in the butt, IE: Lenovo themselves.

Edit: There is an actual fix and it effects very few and yet, they are doing something about it anyways. No, I think FaaS would be a not good idea but this is probably a reason why they want it.

 

[naib]

I actually took the time to read the article and not the usual MSPOWERUSER click bait title. "Some PCs"? You mean some specific Lenovo laptops with less than 8GB of ram, Secure boot enabled and possibly using Bootlocker. In other words, someone neglected to make their machines properly secure and now it is coming back to bite them in the butt, IE: Lenovo themselves.

Edit: There is an actual fix and it effects very few and yet, they are doing something about it anyways. No, I think FaaS would be a not good idea but this is probably a reason why they want it.

 

[ManofGod]

View attachment 129702

So, I see you like click baity titles. Musr love it over there then.