Use Of Internet Explorer Heavily Discouraged. Major Flaw Discovered

Internet Explorer, the former king of desktop browsers fell from grace, replaced by the new king, Google Chrome. According to Netmarketshare.com, Internet Explorer on the average for 2018 is used by only 11.11% of desktop/laptop machines globally. Way lower than the current top browser, Chrome with a commanding 63.82% of browser share.

A different data set coming from Statcounter.com, showing Internet Explorer with a more miserable usage numbers, down to just 6.75% of desktop/laptop market share for 2018:

StatCounter-browser-ww-monthly-201801-201811-bar

It is fairly obvious that globally speaking, the importance of the erstwhile king of all browsers receded. Microsoft lost a lot in the browser market share, even after they have strongly promoted the use of Edge, which is the default browser in all Windows 10 installations since 2015. Those that left Internet Explorer have not migrated to Edge, but rather went to Chrome instead, as evidenced by the very low usage share of Edge from both the Netmarketshare and Statcounter statistics.

Internet Explorer 11 is still bundled with Windows 10, even after Microsoft fully supported the use of Edge browser. Microsoft’s promotion even went to a point that installation of rival browsers in Windows 10 built 1809 is softblocked by a nag screen:

microsoft-edge-warning

Internet Explorer has recently been disclosed of harboring a critical zero-day vulnerability, also known as CVE-2018-8653. It is a nasty remote code execution bug in Internet Explorer’s aging Trident scripting engine. Since 2015, Microsoft deprecated the Trident engine for Edge in favor of a newer evolved form named Chakra. This very engine will soon be superseded by the Chromium’s Blink V8, as Microsoft announce that future versions of Edge will ditch Chakra in favor of Blink V8, which will basically end the browser wars.

However, even though deprecated, all unpatched version of Windows 10 are vulnerable to CVE-2018-8653, as Trident still lives in the system in the form of Internet Explorer 11, which is basically left there by Microsoft to cater to the corporate user that uses ActiveX-dependent Intranet systems. The vulnerability was caused by memory corruption in the Javascript engine of IE11, the only version of Internet Explorer still supported by Microsoft. The hackers will inherit whatever user privileges the logged-in user has in executing arbitrary code after taking advantage of the bug.

If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” explained Microsoft in the official advisory.

Microsoft is fully requesting all users to not delay the execution of Windows Update in order to automatically receive the patch. System administrators who require testing of patches before deploying in their corporate network may use the following mitigation methods in order to prevent the exploitation of the bug prior to installation of the patch:

Execute using Command Prompt:

For 64 Bit Windows:

cacls %windir%\syswow64\jscript.dll /E /P everyone:N

For 32 Bit Windows:

cacls %windir%\system32\jscript.dll /E /P everyone:N

 

Kevin Jones720 Posts

Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.

0 Comments

Leave a Comment

Login

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password
Register