Microsoft has urgently patched two security vulnerabilities, one of which is an actively exploited zero-day.
Urgently Patched Microsoft Zero-Day
Microsoft has issued an urgent fix for a zero-day vulnerability under active exploitation. The vendors describe it as scripting engine memory corruption vulnerability targeting Internet Explorer.
Elaborating on this vulnerability (CVE-2019-1367) in their advisory, Microsoft stated,
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
It means that, upon exploit, the flaw could let the attacker gain the same user rights as that of the current user. This was particularly dangerous in a scenario should the user have admin rights. In such a case, the attacker could take complete control of the system. This includes installing programs, modifying or deleting data, and creating accounts with full user rights.
Triggering this bug wasn’t so difficult either.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
While the bug remained publicly undisclosed, Microsoft confirmed active exploitation of this flaw.
DoS Flaw Fixed In Microsoft Defender
Apart from the urgently patched zero-day, Microsoft also fixed another serious vulnerability that affected Microsoft Defender.
Specifically, there was a denial of service vulnerability (CVE-2019-1255) in Microsoft Defender, which, Microsoft stated in their advisory,
A denial of service vulnerability exists when Microsoft Defender improperly handles files. An attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries.
An attacker would have to first execute on the target system to successfully exploit the flaw.
According to Microsoft, the last version of Microsoft’s Malware Protection Engine bearing this flaw is version 1.1.16300.1. Fortunately, Microsoft patched this bug before any public disclosure or reported exploitation in the wild with the release of version 1.1.16400.2. The users must ensure updating their systems with the latest patched version of the program.
Let us know your thoughts in the comments.