Microsoft rushes out fix for Internet Explorer zero-day
Credit to Author: John E Dunn| Date: Wed, 25 Sep 2019 11:48:58 +0000
Windows users always struggled to live securely with Internet Explorer – and now it’s been superseded in Windows 10, it’s as if they’re now struggling to live securely without it.
Witness this week’s rush by Microsoft to patch two high-priority flaws affecting IE versions 9 to 11, one of which is a zero-day the company says is being exploited in real attacks.
The zero-day (CVE-2019-1367) was reported to Microsoft by Clément Lecigne of Google’s Threat Analysis Group. It’s a remote code execution (RCE) flaw in the browser’s scripting engine that could allow an attacker to:
… install programs; view, change, or delete data; or create new accounts with full user rights.
No further details have been made public in the advisory, but as with most browser vulnerabilities, exploitation would involve luring unpatched users to a malicious website.
No big deal?
Because IE is only used by a few percent of users, in theory this minimises the scope of the flaw.
However, because IE code still lurks in every version of Windows, including Windows 10, the number of people actively using it might not be the whole story.
Some will have activated it on their Windows 7 and 8 computers in the past, which means they could still be vulnerable if it’s set as the default browser or they can be persuaded to visit an infected website using it.
On Windows 10, IE has to be consciously activated, so anyone who’s not done this should be OK because Microsoft’s Edge or another unaffected browser will be the default.
Interestingly, the update must be done manually, during which the installer assesses whether the user’s systems needs it or not – this implies Windows 10 users at least should be safe.
IE scripting flaws aren’t exactly unheard of, as demonstrated by a proof of concept exploit from earlier this year, or CVE-2018-8653 from late 2018.
Microsoft Defender flaw
The second part of this week’s update patches CVE-2019-1255, a denial of service vulnerability in Windows’ built-in security engine, Microsoft (formerly Windows) Defender.
Essentially, an attacker could exploit this to “to prevent legitimate accounts from executing legitimate system binaries.” In other words, to stop it from working correctly.
The updated version is Microsoft Malware Protection Engine version 1.1.16400.2.
IE 10 support ended in January 2016. As for version 11, as far as we can tell from Microsoft’s documentation, this will be supported for as long as the versions on which it is integrated are themselves supported. For some Windows 10 versions, that implies support far into the future.