IE zero-day under active attack gets emergency patch
Microsoft has released two unscheduled security updates, one of which patches a critical Internet Explorer vulnerability that attackers are actively exploiting in the wild.
The IE vulnerability, tracked as CVE-2019-1367, is a remote code execution flaw in the way that Microsoft’s scripting engine handles objects in memory in IE. The vulnerability was found by Clément Lecigne of Google’s Threat Analysis Group, which is the same group that recently detected an advanced hacking campaign that targeted iPhone users. Researchers from security firm Volexity later said the the attackers behind the campaign also targeted users of Windows and Android devices. It’s not clear if the IE vulnerabilities Microsoft is fixing now have any connection to that campaign.
Monday’s advisory said attackers could exploit the vulnerability by luring targets to use IE to visit a booby-trapped website.
Microsoft officials wrote:
The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user… An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The advisory said the vulnerability is being actively exploited in the wild, but it didn’t elaborate on the attacks. The vulnerability affects IE versions 9, 10, and 11. IE has fallen out of favor since the release of the Edge, which researchers widely agree is more resistant to hacking attacks. IE users who can switch to the latest version of Edge should do so. IE users who are unable to change browsers should install Monday’s out-of-band update immediately. Updates should be available automatically. Those for Windows 10 are also available here.
Separately, Microsoft released an additional unscheduled update on Monday to fix a denial-of-service vulnerability in the Microsoft Defender antimalware engine. Formerly known as Windows Defender, the antivirus service ships with Windows 8 and later versions.
An advisory Microsoft published Monday said attackers could exploit the flaw to “prevent legitimate accounts from executing legitimate system binaries.” Based on the wording of the advisory, the requirements for exploiting the vulnerability are high. For a DoS to be successful, the advisory said, “an attacker would first require execution on the victim system.” The advisory said there are no indications the flaw is being actively exploited.
Indexed as CVE-2019-1255, the vulnerability was privately reported to Microsoft by Charalampos Billinis of F-Secure Countercept and Wenxu Wu of Tencent Security Xuanwu Lab. The update should be updated automatically through the Microsoft Malware Protection Engine in the next 48 hours.