Microsoft has urged Windows users to update Internet Explorer, after Google researchers spotted serious issues in the browser that could allow a hacker to take over their computer from afar. The December 2018 Security Update Release applies to all Windows versions, not just Windows 10, Microsoft said, including Windows 8 and Windows Server, along with versions of the browser back to Internet Explorer 8.
The flaw is described as a remote code execution vulnerability in how Internet Explorer’s scripting engine deals with objects in memory. “The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” Microsoft explains. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.”
The biggest risk comes if you’re logged into Windows as a user with administrative rights at the time of the exploit. Then, the hacker could have the privileges to completely take control of the PC, including creating new user accounts, copying and deleting data, or installing new software. However the vulnerability wouldn’t require a PC user installing compromised software.
Instead, simply luring that person into visiting a website designed to take advantage of the security loophole might be enough. “In a web-based attack scenario,” Microsoft outlines, “an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.”
Microsoft’s fix for the problem is a change to how the Internet Explorer scripting engine deals with objects in memory. If you’ve got Windows Update turned on to update automatically, and have the newest version of the security updates it has released, you should be fine.
If you don’t, however, Microsoft is recommending that all users install the latest patches.
The discovery of the security flaw was actually made by Google, which notified Microsoft of the issue. Microsoft specifically credits Clement Lecigne, of Google’s Threat Analysis Group. It comes on the heels of confirmation that the Microsoft Edge browser would be moving to the Chromium engine for the desktop. That should “create better web compatibility for our customers and less fragmentation of the web for all web developers” according to Microsoft Corporate VP Joe Belfiore.