|CERT-In Vulnerability Note
Multiple Vulnerabilities in Microsoft Internet Explorer
Original Issue Date:July 12, 2018
Severity Rating: HIGH
- Microsoft Windows 7 for 32-bit & x64-based Systems Service Pack 1
- Microsoft Windows 8.1 for 32-bit & x64-based systems
- Microsoft Windows RT 8.1
- Microsoft Windows Server 2008 for 32-bit & x64-based Systems Service Pack 2
- Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Microsoft Windows Server 2012
- Microsoft Windows Server 2012 R2
- Microsoft Windows 10 for 32-bit & x64-based Systems
- Microsoft Windows 10 version 1607 for 32-bit & x64-based Systems
- Microsoft Windows 10 version 1703 for 32-bit & x64-based Systems
- Microsoft Windows 10 version 1709 for 32-bit & x64-based Systems
- Microsoft Windows 10 version 1803 for 32-bit & x64-based Systems
- Microsoft Windows Server 2016
Multiple vulnerabilities have been reported in Microsoft Internet Explorer which could be exploited by a remote attacker to execute arbitrary code or bypass security features.
1. Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability
These vulnerabilities exist in Microsoft Internet Explorer due to improper handling of objects in memory by the scripting engine. A remote attacker could exploit the vulnerabilities by hosting a specially crafted website and then convincing a user to visit the website.
Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.
2. Microsoft Internet Explorer Security Feature Bypass Vulnerability
This vulnerability exists when Microsoft Internet Explorer improperly handles requests involving UNC resources. A remote attacker could exploit this vulnerability by hosting a specially crafted website and then convincing a user to visit the website.
Successful exploitation of this vulnerability could allow the attacker to force the browser on the target system to load data that would otherwise be restricted.
Apply appropriate patch as mentioned in Microsoft Security Guidance
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003