Microsoft November Patch Tuesday Is Out With An Internet Explorer Zero-Day

This Tuesday, Microsoft released its scheduled Patch Tuesday updates for November. These include fixes for a serious zero-day flaw affecting the Internet Explorer and 73 other bugs.

Zero-Day Flaw In Internet Explorer

Reportedly, multiple researchers found a zero-day vulnerability in Internet Explorer involved in numerous active exploitations.

The vulnerability existed in the handling of objects in memory by the scripting engine. When triggered, it allowed an attacker to execute arbitrary remote codes on the target system in the context of the current user. This was particularly dangerous if the current user had admin access to the system.

Explaining further about this critical vulnerability CVE-2019-1429 in an advisory, Microsoft stated,

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

Unfortunately, before public disclosure, the criminal hackers came to know of this vulnerability which they later exploited in the wild. However, Microsoft has now fixed this bug with the Patch Tuesday update bundle.

Other Microsoft November Patch Tuesday Updates

In addition to the zero-day, Microsoft also fixed 12 critical security flaws. All of these could allow remote code execution upon an exploit. Besides, it also fixed 61 important severity vulnerabilities. Upon exploit, these could lead to spoofing, denial of service, information disclosure, privilege escalation, security feature bypass, and remote code execution.

In all, with this update, Microsoft patched 74 different bugs affecting Microsoft Windows, Microsoft Edge, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Exchange Server, ChakraCore, Visual Studio, Open Source Software, and Azure Stack.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients