Loading...

Knowledge Center


McAfee SNS Notice: CVE-2018-8653 Scripting Engine Memory Corruption Vulnerability coverage information
SNS Emails ID:   SNS1790
Last Modified:  12/21/2018

Body

Summary
Microsoft recently announced a vulnerability that exists in the IE Scripting engine that allows for remote code execution. On December 19, Microsoft released a critical out-of-band (OOB) patch for this vulnerability. The Microsoft description is below. Further details are available here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653.

Microsoft Description
"A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory." 

McAfee Information
McAfee has been evaluating protection coverage against this CVE. The information below serves to provide content coverage details for endpoint products. Other McAfee products such as appliances, EDR, etc., are out of the scope for this publication. The following is our initial assessment for protection. Further information is expected to follow as and when it becomes available.

Coverage Details

Endpoint Products: Endpoint Security (ENS), ENS Adaptive Threat Protection (ENS-ATP), Host Intrusion Prevention (HIPS), VirusScan Enterprise (VSE), WSS
  • ENS (10.2.0+) with Exploit Prevention
    • GBOP Coverage – This vulnerability is proactively covered by McAfee Generic Buffer Overflow Protection (Signature ID – 428)
  • HIPS (8.0.0+)
    • GBOP Coverage – This vulnerability is proactively covered by McAfee Generic Buffer Overflow Protection (Signature ID – 428)
  • ENS (all versions) and WSS (all versions) - Coverage based on samples observed so far. This protection is expected to be expanded over the next few days as viable exploitation attempts are seen. 
    • Minimum DAT - V3 DAT (3564) 
    • Detection names: Exploit-CVE2018-8653 & Exploit-CVE2018-8653.a
  • VSE (8.8+) - Coverage based on samples observed so far. This protection is expected to be expanded over the next few days as viable exploitation attempts are seen.
    • Minimum DAT - V2 DAT (9113)
    • Detection names: Exploit-CVE2018-8653 & Exploit-CVE2018-8653.a
Content Summary
  • DAT - V2 DAT (9113), V3 DAT (3564) – Applies to products that consume DATs. 
  • Generic Buffer Overflow Protection (GBOP) - Signature ID – 428
NOTE: Post Exploitation coverage, although cannot be verified at this point, is expected to be available via Engine/DAT’s scanners on ENS, VSE and WSS Products and via Advanced scanners such as ATP (JTI) Rules, RP-S and RP-D on ENS-ATP & WSS.

To receive information about McAfee product updates, sign up for the Support Notification Service at https://sns.secure.mcafee.com/signup_login.

Original Send Date

December 21, 2018

Rate this document

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.