Microsoft has issued out-of-band security patches to fix two security vulnerabilities which were being “actively exploited” by cybercriminals. These fixes address Zero-Day security flaws which could remotely grant administrative privileges and elevated levels of control to the victims’ computers. While one of the flaws existed in most recent versions of Internet Explorer, the other was within Microsoft Defender. The security vulnerabilities were officially tagged as CVE-2019-1255 andCVE-2019-1367.
Microsoft recently went on a bug-fixing spree, addressing several weird behavioral issues and flaws that developed after the infamous September 2019 Patch Tuesday Cumulative Update. Now it has issued emergency security patches to fix two security vulnerabilities, at least one of which was present within the Internet Explorer.
Microsoft Patches Security Vulnerabilities CVE-2019-1255 and CVE-2019-1367 Within Microsoft Defender and Internet Explorer:
The security vulnerability tagged as CVE-2019-1367 was discovered by Clément Lecigne of Google’s Threat Analysis Group. The Zero-Day exploit is a remote code execution vulnerability in the way Microsoft’s scripting engine handles objects in memory in the web browser. The execution of the exploit is surprisingly simple. A victim has to merely visit a specially crafted, booby-trapped web-page hosted online, using Internet Explorer browser. The exploit is a memory-corruption issue that can potentially allow an attacker to hijack a Windows PC. Moreover, the vulnerability allows remote execution, mentions the Microsoft advisory:
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.”
It's not a Patch Tuesday, but Microsoft is rolling out emergency out-of-band security patches for two new vulnerabilities:
➡️ CVE-2019-1367 — a critical IE zero-day under active attack.
➡️ CVE-2019-1255 — DoS flaw in Microsoft Defender.
Read details: https://t.co/miqJoO3i7b
— Wang Wei (@security_wang) September 24, 2019
The CVE-2019-1367 Zero-Day Exploit affects Internet Explorer versions 9, 10, 11. In other words, most modern-day computers running a Windows OS, and using Internet Explorer, were vulnerable. Although the issue is fixed, experts insist users must use an alternative, more secure web browsers like Google Chrome or Mozilla Firefox. There’s no mention of Microsoft Edge browser, which succeeded Internet Explorer, and since it is based on the Chromium base, it is quite likely that the modern web browser is immune to this exploit.
In addition to addressing the Zero-Day Exploit in Internet Explorer, Microsoft also released a second out-of-band security update to patch a Denial-of-Service (DoS) vulnerability in Microsoft Defender. The antivirus and anti-malware software is by far the most widely used platform which comes preinstalled within Windows 10.
The exploit within Microsoft Defender, tagged as CVE-2019-1255, was discovered by Charalampos Billinis of F-Secure and Wenxu Wu of Tencent Security Lab. The flaw exists in the way Microsoft Defender handles files but affects Microsoft Malware Protection Engine versions up to 1.1.16300.1. Microsoft notes in the advisory that an attacker could exploit this vulnerability “to prevent legitimate accounts from executing legitimate system binaries.” However, to exploit this flaw, the attacker would “first require execution on the victim system.”
Microsoft releases out-of-band security update to fix:
— Catalin Cimpanu (@campuscodi) September 23, 2019
Microsoft has already issued the patch to fix the security vulnerability in Microsoft Defender. As the security update for Microsoft Defender is automatic, most Windows 10 users should receive the automatic update to the Microsoft Malware Protection Engine shortly. The fix updates the Microsoft Malware Protection Engine to version 1.1.16400.2.
Microsoft has offered a feature within Windows 10 Pro and Enterprise to postpone updates. However, it is strongly encouraged to accept these updates and get them installed. Incidentally, both the security updates are part of Microsoft’s emergency updates. Moreover, one of them even fixes a Zero-Day exploit reportedly being deployed in the wild.