CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
93.2%
Microsoft Internet Explorer contains a memory corruption vulnerability in the scripting engine JScript component, which can allow a remote attacker to execute arbitrary code on a vulnerable system.
Microsoft Internet Explorer contains a scripting engine, which handles execution of scripting languages such as VBScript and JScript. The scripting engine JScript component contains an unspecified memory corruption vulnerability. Any application that supports embedding Internet Explorer or its scripting engine component may be used as an attack vector for this vulnerability.
This vulnerability was detected in exploits in the wild.
By convincing a user to view a specially crafted HTML document (e.g., a web page an email attachment), PDF file, Microsoft Office document, or any other document that supports embedded Internet Explorer scripting engine content, an attacker may be able to execute arbitrary code.
Apply an update
This issue is addressed in the update for CVE-2018-8653. If you cannot install the update, please consider the following workaround:
Restrict access to JScript.dll
According to the update for CVE-2018-8653, this vulnerability can be mitigated by restricting access to the jscript.dll
file. This can be accomplished by running the following command in a command prompt that has administrative privileges on 32-bit systems:
takeown /f %windir%\system32\jscript.dll
cacls %windir%\system32\jscript.dll /E /P everyone:N
On 64-bit Windows platforms, the following command should be used:takeown /f %windir%\syswow64\jscript.dll
cacls %windir%\syswow64\jscript.dll /E /P everyone:N
takeown /f %windir%\system32\jscript.dll
cacls %windir%\system32\jscript.dll /E /P everyone:N
According to the Microsoft advisory: By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability._ This vulnerability only affects certain websites that utilizes jscript as the scripting engine. _ As a result, most websites should not be affected by this mitigation. Only sites that explicitly request the use of script decoding with jscript.dll
may be affected. Note that Windows Scripting Host uses jscript.dll
instead of jscript9.dll
. As a result, deploying this mitigation can prevent the use of .JS
and other similar stand-alone scripts. The above change can be reverted by running the following command with administrative privileges on a 32-bit Windows system:
cacls %windir%\system32\jscript.dll /E /R everyone
On 64-bit Windows platforms, the following commands should be used:
cacls %windir%\system32\jscript.dll /E /R everyone
cacls %windir%\syswow64\jscript.dll /E /R everyone
573168
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: December 19, 2018
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Temporal | 6.2 | E:F/RL:OF/RC:C |
Environmental | 6.2 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8653>
This vulnerability was disclosed by Microsoft, who in turn credit Clement Lecigne of Googleโs Threat Analysis Group.
This document was written by Will Dormann.
CVE IDs: | CVE-2018-8653 |
---|---|
Date Public: | 2018-12-19 Date First Published: |
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
93.2%