Latest Internet Explorer Bug a Massive Risk

John Lister's picture

Microsoft has issued an emergency patch for Internet Explorer. In the most extreme circumstances, a user simply visiting a website could give a hacker complete remote control of a computer.

Between Chrome's dominance and Edge becoming the default on new Windows machines, Internet Explorer is far from popular and is now used on around 8 percent of desktop computers. However, that still means around a hundred million machines could be affected by this bug. (Source: bbc.co.uk)

It's a sign of how serious the problem is that Microsoft has issued an emergency patch, or as it calls it, an out-of-cycle update. The bug affects versions 9 to 11 of Internet Explorer. It's described as a "Scripting Engine Memory Corruption Vulnerability."

Remote Access a Huge Risk

In simple terms, that means the process Internet Explorer uses to turn a website's code into the page shown on screen isn't accessing the computer's memory in the correct way. That could mean a hacker could gain access to the rest of the machine.

To make things worse, the bug doesn't rely on the user taking any action other than visiting a compromised webpage - for example, by following a bogus link.

Once triggered, the bug gives hackers complete remote access to the computer on the same basis as the current user. That would be particularly dangerous if the user was logged in to Windows with an administrator account (as most do).

Bug Already Exploited

Microsoft notes that an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To makes things worse, Microsoft says that although the bug wasn't publicly disclosed before it released the update that fixes it, hackers are already actively exploiting it.

There are some workarounds that involve typing code into the Command Prompt. However, these are really only necessary for business networks where it takes time to roll out updates. Home users should instead concentrate on getting the update either through automatic updates or by visiting Microsoft's website. (Source: microsoft.com)

The bug was discovered and reported by Clement Lecigne of Google's Threat Analysis Group.

What's Your Opinion?

Are you surprised browsers still have such serious bugs? Do you still use Internet Explorer? Should Microsoft still offer security fixes even though it's no longer its main browser?

Rate this article: 
Average: 4.7 (7 votes)

Comments

jamies's picture

IE saves pages as .mht complete with imbedded animated images gif's - such as Excel how-to's
EDGE print s PDF loses the animation
Some retailers web pages get loaded with data that shows in IE and EDGE, saves as .MHT in IE, but gives almost empty pages in Microsoft-print-to-PDF.

And - with all the web pages I have saved as .mht for information, and evidence of postings, what can I use to print the evidence, or articles, or view them if I do not run IE?

Then again - just visit a compromised site -
Well seems that some of the organisations having their 'stuff' published through the Microsoft win-10 included 'News' app are using built-in facilities to take users to web sites and presenting other stuff through popups - typically having adverts push the [NEXT] selection box down the screen so their site link replaces the [NEXT] that (was) under the cursor when you went to select [NEXT]

So, when using your windows system, always remember how much:

Microsoft cares about user security!

jamies's picture

I have just ended a conversation with Microsoft tech support:
Initially I was told that as I had defender my system could NOT be compromised!

Then - having finally persuaded the agent that there was a problem wth IE, and that not only was it widely reported on forums, but
that MICROSOFT had issued a KB admitting the problem exists and a fix on the 23rd
As in the security gap allowed exploits that could turn off Defender the system would then be open to exploits and data extraction, and use for the distribution of other malware, and that I needed to speak to a technician with in-depth, IE and security experience.

I spoke to a tech - he pointed me to the 20th September 1903 cumulative fix sets dated 20th September, and then told me that the internal Microsoft instructions were that the cumulative fix set dated 20th September for the 1703 version of windows needed to be downloaded and applied to the 1903 windows version, as that 1327MB set included fixes that were missed from the later cumulative fix sets and their lack was the cause of the problem - and there was not actually a fix dated the 23rd September - the solution was to apply the 1703 cumulative set to the current version!

I'll think on that for a bit - especially as the Windows update shows my system is up-to-date with the 16th September fixes that are the latest set applied!

Commentary and advice regarding the support information is welcomed !

Anybody? please!

buzzallnight's picture

No!

Are you surprised that M$ has been trying to fix win 7 for ten years

and they say you should update to 10 because 7 is still a disaster?

Are you surprised this is the same crap they said about XP?

Are you surprised that some people think 10 is better
after 8 was so bad they just skipped 9?

No!

Enroc's picture

I love your way of thinking, I totally agree with you.

sirpaultoo's picture

Decisions. Decisions. Installing the IE update disables MS Search on my Win7 computer. MS is aware of the bug and has labeled it 'fixed' - but it's still not fixed as of this morning.