Microsoft drops emergency Internet Explorer fix for actively exploited zero-day
Microsoft has unexpectedly released out-of-band security updates to fix vulnerabilities in Internet Explorer and Microsoft Defender. The IE zero-day bug is deemed “critical”, as it’s being actively exploited to achieve partial or complete control of a vulnerable systems.
The Internet Explorer vulnerability (CVE-2019-1367)
CVE-2019-1367 is a memory corruption vulnerability in the scripting engine that could be exploited to achieve remote code execution.
An attacker who successfully exploited the vulnerability could gain the same user rights as the current user – if the user is logged on with administrative user rights, that means the attacker gets complete control over the system.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email,” Microsoft explained.
This piece of information combined with the fact that the flaw was reported by Clément Lecigne of Google’s Threat Analysis Group has given rise to speculation that the vulnerability was/is being exploited by the same threat actors who exploited various iOS bugs to compromise visitors to specific booby-trapped sites.
Whether or not that conjecture is true, Microsoft obviously assessed that issuing an unscheduled patch is important, so here we are.
The vulnerability affects Internet Explorer 9, 10 and 11. Depending on the underlying system, users are advised to (download and) implement the offered security update or cumulative security update. If updating is impossible at this moment, there’s a temporary workaround that can be implemented.
The Microsoft Defender vulnerability (CVE-2019-1255)
CVE-2019-1255 is a denial of service vulnerability that could allow an attacker “to prevent legitimate accounts from executing legitimate system binaries.”
To exploit the flaw, though, the attacker must first achieve execution rights on the target system.
The fix for the flaw, which was flagged by Charalampos Billinis of F-Secure Countercept and Wenxu Wu of Tencent Security Xuanwu Lab, is being propagated through a new version of the Microsoft Malware Protection Engine (v1.1.16400.2).
“For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically,” Microsoft notes.
“For end-users, the affected software provides built-in mechanisms for the automatic detection and deployment of this update. For these customers, the update will be applied within 48 hours of its availability. The exact time frame depends on the software used, Internet connection, and infrastructure configuration. End users that do not wish to wait can manually update their antimalware software.”