Microsoft has released out-of-band security updates addressing two vulnerabilities – including an Internet Explorer zero-day vulnerability being actively exploited in the wild.
The Internet Explorer zero-day vulnerability (CVE-2019-1367) is a remote code execution flaw that could enable an attacker who successfully exploited it to gain the same user rights as the current user. The other flaw (CVE-2019-1255) is a denial-of-service flaw in Microsoft Defender. Both flaws are being addressed with out-of-band security updates; meaning that they are not part of Microsoft’s regular Patch Tuesday cycle and are instead part of an emergency update to be deployed immediately.
“Microsoft has released out-of-band security updates to address vulnerabilities in Microsoft software,” according to a Monday U.S. Computer Emergency Readiness Team (CERT) alert. “A remote attacker could exploit of these vulnerabilities to take control of an affected system.”
The vulnerability exists in the way that the scripting engine (a vehicle for implementing scripts in various scripting languages) handles objects in memory in Internet Explorer, according to Microsoft. The vulnerability could lead to memory corruption, which ultimately could allow an attacker to execute arbitrary code in the context of the current user.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” Microsoft said. That could enable an attacker to then install programs; view, change, or delete data; or create new accounts with full user rights.
The flaw could also be exploited remotely and online; an attacker could host a specially-crafted website that is designed to exploit the vulnerability (via Internet Explorer) and then convince a user to view that website (by sending an email for instance).
“The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory,” according to Microsoft’s Monday advisory.
Various versions of Internet Explorer (9, 10 and 11) that are vulnerable; updates for Windows 10 IE versions can be found here.
Microsoft did not release further details around the exploit campaign; Threatpost has reached out with questions about the active exploitation and how many are impacted. But Internet Explorer users are urged by US-CERT to “implement patches ASAP.”
— US-CERT (@USCERT_gov) September 23, 2019
The flaw was disclosed by Clément Lecigne, with Google’s Threat Analysis Group.
The other vulnerability (CVE-2019-1255) is a denial-of-service flaw existing in Microsoft Defender, Microsoft’s anti-malware component of its Windows OS. The flaw, which exists in Microsoft Malware Protection Engine versions up to 1.1.16300.1 and is addressed in the Microsoft Malware Protection Engine version 1.1.16400.2, exists in the way that Microsoft Defender handles files.
“An attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries,” according to Microsoft. “To exploit the vulnerability, an attacker would first require execution on the victim system.”
The update for Microsoft Defender is automatic and will be applied within 48 hours of its availability, Microsoft said.
Defender has been in the news recently after a broken Microsoft Windows Defender signature file that was causing system file checks to fail got a patch last week – but then that patch caused an even bigger issue, making Defender user-triggered antivirus scans fail altogether.
The Windows Defender flaw was disclosed by Charalampos Billinis of F-Secure Countercept and Wenxu Wu of Tencent Security Xuanwu Lab.
Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.