Microsoft fights Internet Explorer remote code execution flaw and a bug in Microsoft Defender with out-of-band security update
Microsoft released a security update to address two recent bugs: CVE-2019-1367 (Internet Explorer zero-day remote execution flaw) and CVE-2019-1255 (denial-of-service bug in Microsoft Defender) got patched on an out-of-band security update on Monday.
This release stands out more than usual because it seems to be an emergency update that needed to be launched as soon as possible. Typically, Microsoft releases security updates on the second Tuesday of every month, so the broken pattern indicates a very important security issue that had to be addressed immediately.
As Microsoft states in their post issued on Monday, the particular IE flaw could be exploited as soon as vulnerable users visit are directed towards predetermined websites:
The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.
Internet Explorer zero-day vulnerability is the most important one to fight
The newly released unscheduled security updates patch critical vulnerabilities that attackers can exploit in the wild, especially the IE zero-day vulnerability. The remote code execution flaw which relates to the way the scripting engine handles objects in the memory of Internet Explorer was found by Google Threat Analysis Group.
Unfortunately, this vulnerability can be located in every version of Internet Explorer that runs on Windows 7, Windows 8.1, and Windows 10. Simply put, this flaw corrupts the memory, so an attacker can easily execute arbitrary code and install programs, and view, change, or even delete various data. Since the access gained is with the full user rights, new accounts can also be created by the attacker.
According to Microsoft, these web-based attacks can allow the hacker to host websites crafted to exploit the vulnerability through Internet Explorer, to convince the user to view the compromised page. This can be achieved by sending an email with a hyperlink, employing malvertising campaigns, and showing ads via search engines. Once the bait is taken, a threat actor can do whatever he/she wants to the device and data stored on it.
Microsoft Defender bug is less serious but should still be addressed
Microsoft Defender is the antivirus that runs on Windows 8 and later versions, previously known as Windows Defender. This denial-of-service vulnerability allows an attacker to prevent legitimate accounts from launching proper binary codes, as Microsoft states in their update report.
This is not so dangerous as the IE flaw because hacker needs to access the system to be able to execute the malicious code. This issue exists due to inaccurate file handling:
A denial of service vulnerability exists when Microsoft Defender improperly handles files. An attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries.
Possible workarounds for IE zero-day flaw
However, the best workaround is to use anything but Internet Explorer. Internet Explorer usage only goes to 1.97% of the market share, so there are fewer users prone to attacks. It is an outdated web browser, so try Microsoft Edge that is safer and more functional that IE, or go for Google Chrome, Chromium, Opera, or any other browser that is way safer to use. If you restrain from the change because of your bookmarks and other details stored on the browser, you should be aware that there are many ways to export them to any other browsing tool.