[SingCERT] Alert on Microsoft Scripting Engine Memory Corruption Vulnerability (CVE-2018-8653)

Published on Friday, 21 December 2018 11:55


Microsoft has released an out-of-band security update to address a critical vulnerability discovered in its Internet Explorer (IE) software.

This memory corruption vulnerability (CVE-2018-8653) affects IE when browsing websites that utilise the JScript as the scripting engine.

Affected Products

The following Microsoft products are affected:

  •  Internet Explorer 9
  •  Internet Explorer 10
  •  Internet Explorer 11

An attacker could divert unsuspecting IE users to visit a website which is embedded with a specially crafted script that can exploit this vulnerability.

Upon successful exploitation, the attacker could install malware, view, change, or delete data in the compromised machine; or create new accounts with full user rights.


Users and System Administrators are advised to apply the out-of-band security patch released by Microsoft immediately at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653.


System Administrators may choose to restrict access to JScript.dll by entering the following commands:

  •  For 32-bit systems: cacls %windir%\system32\jscript.dll /E /P everyone:N
  •  For 64-bit systems: l%windir%\syswow64\jscript.dll /E /P everyone:N