search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Microsoft Internet Explorer scripting engine JScript memory corruption vulnerability

Vulnerability Note VU#573168

Original Release Date: 2018-12-19 | Last Revised: 2018-12-21

Overview

Microsoft Internet Explorer contains a memory corruption vulnerability in the scripting engine JScript component, which can allow a remote attacker to execute arbitrary code on a vulnerable system.

Description

Microsoft Internet Explorer contains a scripting engine, which handles execution of scripting languages such as VBScript and JScript. The scripting engine JScript component contains an unspecified memory corruption vulnerability. Any application that supports embedding Internet Explorer or its scripting engine component may be used as an attack vector for this vulnerability.

This vulnerability was detected in exploits in the wild.

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page an email attachment), PDF file, Microsoft Office document, or any other document that supports embedded Internet Explorer scripting engine content, an attacker may be able to execute arbitrary code.

Solution

Apply an update

This issue is addressed in the update for CVE-2018-8653. If you cannot install the update, please consider the following workaround:

Restrict access to JScript.dll

According to the update for CVE-2018-8653, this vulnerability can be mitigated by restricting access to the jscript.dll file. This can be accomplished by running the following command in a command prompt that has administrative privileges on 32-bit systems:

    takeown /f %windir%\system32\jscript.dll
    cacls %windir%\system32\jscript.dll /E /P everyone:N
On 64-bit Windows platforms, the following command should be used:
    takeown /f %windir%\syswow64\jscript.dll
    cacls %windir%\syswow64\jscript.dll /E /P everyone:N
    takeown /f %windir%\system32\jscript.dll
    cacls %windir%\system32\jscript.dll /E /P everyone:N

According to the Microsoft advisory: By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability. This vulnerability only affects certain websites that utilizes jscript as the scripting engine. As a result, most websites should not be affected by this mitigation. Only sites that explicitly request the use of script decoding with jscript.dll may be affected. Note that Windows Scripting Host uses jscript.dll instead of jscript9.dll. As a result, deploying this mitigation can prevent the use of .JS and other similar stand-alone scripts. The above change can be reverted by running the following command with administrative privileges on a 32-bit Windows system:
    cacls %windir%\system32\jscript.dll /E /R everyone

On 64-bit Windows platforms, the following commands should be used:
    cacls %windir%\system32\jscript.dll /E /R everyone
    cacls %windir%\syswow64\jscript.dll /E /R everyone

Vendor Information

573168
 
Expand all

Microsoft Affected

Updated:  December 19, 2018

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 6.2 E:F/RL:OF/RC:C
Environmental 6.2 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8653

Acknowledgements

This vulnerability was disclosed by Microsoft, who in turn credit Clement Lecigne of Google’s Threat Analysis Group.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2018-8653
Date Public: 2018-12-19
Date First Published: 2018-12-19
Date Last Updated: 2018-12-21 14:26 UTC
Document Revision: 24

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis