Microsoft issued a security patch for Internet Explorer Zero-day flaw

by Julie Splinters - - 2019-09-24

Microsoft fights Internet Explorer remote code execution flaw and a bug in Microsoft Defender with out-of-band security update

Microsoft releases new security update IE zero-day vulnerability is addressed with new security update from Microsoft.

Microsoft released a security update to address two recent bugs:^[1] CVE-2019-1367 (Internet Explorer zero-day remote execution flaw) and CVE-2019-1255 (denial-of-service bug in Microsoft Defender) got patched on an out-of-band security update on Monday.^[2]

This release stands out more than usual because it seems to be an emergency update that needed to be launched as soon as possible. Typically, Microsoft releases security updates on the second Tuesday of every month, so the broken pattern indicates a very important security issue that had to be addressed immediately.

As Microsoft states in their post issued on Monday,^[3] the particular IE flaw could be exploited as soon as vulnerable users visit are directed towards predetermined websites:

The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.

Internet Explorer zero-day vulnerability is the most important one to fight

The newly released unscheduled security updates patch critical vulnerabilities that attackers can exploit in the wild, especially the IE zero-day vulnerability. The remote code execution flaw which relates to the way the scripting engine handles objects in the memory of Internet Explorer was found by Google Threat Analysis Group.^[4]

Unfortunately, this vulnerability can be located in every version of Internet Explorer that runs on Windows 7, Windows 8.1, and Windows 10. Simply put, this flaw corrupts the memory, so an attacker can easily execute arbitrary code and install programs, and view, change, or even delete various data. Since the access gained is with the full user rights, new accounts can also be created by the attacker.

According to Microsoft, these web-based attacks can allow the hacker to host websites crafted to exploit the vulnerability through Internet Explorer, to convince the user to view the compromised page. This can be achieved by sending an email with a hyperlink, employing malvertising campaigns, and showing ads via search engines. Once the bait is taken, a threat actor can do whatever he/she wants to the device and data stored on it.^[5]

Microsoft Defender bug is less serious but should still be addressed

Microsoft Defender is the antivirus that runs on Windows 8 and later versions, previously known as Windows Defender. This denial-of-service vulnerability allows an attacker to prevent legitimate accounts from launching proper binary codes, as Microsoft states in their update report.^[6]

This is not so dangerous as the IE flaw because hacker needs to access the system to be able to execute the malicious code. This issue exists due to inaccurate file handling:

A denial of service vulnerability exists when Microsoft Defender improperly handles files. An attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries.

Possible workarounds for IE zero-day flaw

There is a possible workaround if your device is running Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019. Internet Explorer runs in restricted mode, and this reduces the possibility that the user could download the malware. Microsoft also provides commands that users can enter into 32bit or 64bit systems and protect the network by restricting access to JavaScript function.

However, the best workaround is to use anything but Internet Explorer. Internet Explorer usage only goes to 1.97% of the market share, so there are fewer users prone to attacks. It is an outdated web browser, so try Microsoft Edge that is safer and more functional that IE, or go for Google Chrome, Chromium, Opera, or any other browser that is way safer to use. If you restrain from the change because of your bookmarks and other details stored on the browser, you should be aware that there are many ways to export them to any other browsing tool.

About the author

Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

References

^ Lindsey O'Donnell. Microsoft Internet Explorer zero-day flaw addressed in out-of-band security update. Threatpost. Security news.
^ Dan Goodin. IE zero-day under active attack gets emergency patch. Arstechnica. IT news, reviews, and analysis.
^ Scripting Engine Memory Corruption Vulnerability. Microsoft. Security update report.
^ Shaun Nichols. Nine words to ruin your Monday: Emergency Internet Explorer patch amid in-the-wild attacks. Theregister. Tech and science news for IT professionals and fans.
^ Mark Hachman. A new Internet Explorer bug can take over your entire PC, so stop using it. PCworld. News, tips, and reviews from experts on PCs.
^ Microsoft Defender Denial of Service Vulnerability. Microsoft. Security update report.