[German]Effective December 19, 2018, Microsoft released a KB4483187 cumulative security update for Internet Explorer. Here is some information about this update.
I already had a reader inquiry yesterday asking if I expected a special update for Internet Explorer. Today Microsoft sent me a Security Advisory on this issue.
********************************************************************
Title: Microsoft Security Update Releases
Issued: December 19, 2018
********************************************************************
Summary
=======
The following CVE has been added to the December 2018 Security
Updates:
* CVE-2018-8653
Revision Information:
=====================
– CVE-2018-8653 | Scripting Engine Memory Corruption
Vulnerability
– https://portal.msrc.microsoft.com/en-us/security-guidance
– Reason for Revision: Information published.
– Originally posted: December 19, 2018
– Updated: N/A
– Aggregate CVE Severity Rating: Critical
– Version: 1.0
Details about update KB4483187 for Internet Explorer
Microsoft has published its own page with details about the update KB4483187 for Internet Explorer. The update fixes the remote execution vulnerability CVE 2018 8653 in scripting.
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.
So far, there seems to be no (public known) exploitation of the vulnerability. The update is available for Internet Explorer 10 and 11. The download can be found on this page. The update is also available via Windows Update.
Note: If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update.
Known issues
After you install this security update on a computer that is running Windows Server 2012 R2 or Windows 8.1, the About Internet Explorer 11 dialog box displays KB4470199 (the December 11, 2018 security update for Internet Explorer) instead of KB4483187. Users can check to see if they are protected by checking if the version of jscript.dll is 5.8.9600.19230.
Attention, different KB numbers
Microsoft uses different KB numbers for the individual Windows versions for this update. Here are the cumulative updates for Windows 10.
- KB4483235 for Windows 10 V1809: raises the OS Build to 17763.195
- KB4483234 for Windows 10 V1803: raises the OS Build to 17134.472
- KB4483232 for Windows 10 V1709: raises the OS Build to 16299.847
- KB4483230 for Windows 10 V1703: raises the OS Build to 15063.1508
- KB483229 for Windows 10 V1607: raises the OS Build to 14393.2670
- KB4483228 for Windows 10 V1507: raises the OS Build to 10240.18064
For older Windows versions and older IE versions, the Microsoft Update Catalog provides the updates. In addition, KB article 4483187 contains more details.
Hello,
In the Summary assessment of the CVE we can read "Exploited : Yes".
guenni:
potential crashing problems recently reported on Askwoody.com site regarding KB4483187 update for IE:
https://www.askwoody.com/2018/reported-crash-with-the-new-out-of-band-ie-fix-on-win7-kb-4483187/
I will avoid installing the KB4483187 update for my Win7 & Win8.1 PCs and will wait for the January 2019 security updates to become available