While Microsoft is working on rebuilding its Internet Explorer and Edge browsers with Google's Chromium rendering engine, Google engineer Clement Lecigne discovered a critical vulnerability affecting Internet Explorer versions 9, 10 and 11. Microsoft issued an emergency update today for Windows 7, 8.1 and 10 versions, as well as Windows Server 2008, 2012, 2016 and 2019.
Internet Explorer Flaw
The bug, called CVE-2018-8653, is a remote code execution vulnerability that’s caused by how Internet Explorer's scripting engine handles objects in memory. An attacker could take advantage of this flaw to corrupt memory in a way that they could run malicious code to gain the same system privileges as the current user.
As Windows accounts are Administrator (rather than Standard/Limited) by default that means that in most cases, the malicious party would gain administrative privileges too. The attacker could then install programs, steal information, delete data and so on.
The attacker could also craft a web-based that would take advantage of this flaw in Internet Explorer. The user that visits the malicious site (which could be sent to the target as a recommendation to visit it via an email) could then have their systems taken over by the attacker.
Microsoft said that the emergency patch for Internet Explorer modifies how the scripting engine handles objects to prevent this type of attack from happening.
Microsoft Is Working On a More Secure Browser
Recently, we learned that Microsoft has given up the fight against Google with its own EdgeHTML rendering engine and will soon launch its own Chromium-based browser. A former Microsoft employee blamed the move primarily due to Chrome's increased dominance, as well as Google's abuse of Chrome features to prevent certain websites from working on competing browsers.
Chrome is already widely viewed as the most secure browser, while both of Microsoft’s browsers have had a long history of security issues. Even Edge is often vulnerable to attacks that exploit the browser’s integration of the Internet Explorer 11 rendering engine for legacy support purposes.
However, even though Microsoft will use Chromium, which on its own has a secure code base, the company will still have to keep up with the updates released by the open source Chromium community and Google, as well as with bugs that may appear in Microsoft’s custom user interface. We often see that other companies that have built browsers on top of Chromium use a version of Chromium that’s months behind the latest version that Google’s Chrome uses.
That means months of known security issues continuing to exist in those browsers. Attackers could take advantage of this by first watching closely the type of bugs that Google fixes in the latest version of Chrome, and then they could start exploiting them in Microsoft’s new browser.
Time will tell if Microsoft will find a way to deal with this properly, by either releasing updates in lock-step with Google, through other security hardening features or by sandboxing its browser in a Windows Sandbox by default (something the company has already done (opens in new tab) for the Edge browser on enterprise versions of Windows).