Microsoft released an out-of-band security update to fix two critical security issues which includes a zero-day vulnerability in the Internet Explorer scripting engine which was exploited in the wild, and a Microsoft Defender bug.
The updates are distinct as Microsoft usually release security updates on the second Tuesday of every month. The company rarely breaks this pattern and is done for important security issues.
All the Windows users are advised to install the latest updates as early as possible. The Defender bug update will be patched automatically while the patch for the IE zero-day has to be done manually.
IE Zero Day Bug
Out of the bugs, Internet Explorer zero-day is the most important one as it has been already been exploited actively in the wild.
The details of the attacks are not revealed and these attacks and the zero-day were reported to Microsoft by Clément Lecigne who is a member of Google’s Threat Analysis Group.
It was this Google threat intel team that has detected the attacks with iOS zero-days against members of the Chinese Uyghur community earlier this year. Those attacks also targeted Android and Windows users; however, it is unclear if the IE zero-day patched today is part of those attacks.
The IE zero-day is a very serious vulnerability and it is been named by the researchers as a remote code execution (RCE) issue.
The Microsoft states that “the vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who has managed to successfully exploit the vulnerability could attain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. He could then install programs; view, change, or delete data; or create new accounts with full user rights.
The Internet Explorer user is attracted to a malicious website by various methods like spam email, IM spam, search engine ads, malvertising campaigns, and others.
It is however happy to note that as the Internet Explorer users has reduced, less users are vulnerable to attacks and so the attacks should be limited in scope.
The IE zero-day has been tracked with the CVE-2019-1367 identifier. Microsoft has issued a security advisory that contains links to the manual update packages, which has to be downloaded from the Microsoft Update Catalog and run by the users manually. The patch for the IE zero-day is not available via Windows Update.
Defender DOS Bug
The next vulnerability that was fixed is the denial of service (DoS) vulnerability in Microsoft Defender which is the standard antivirus that ships with Windows 8 and later versions, including the Windows 10 release.
Microsoft states that an attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries.
However, this bug is not of big issue and in order to exploit this bug, an attacker would first need access to a victim’s system and the ability to execute code.
The bug allows an attacker to disable Microsoft Defender components from executing, but if the attacker already has “execution rights” on a victim’s computer, then there are many other ways to run malicious code undetected — such as fileless attacks.
Microsoft has released update v1.1.16400.2 to the Microsoft Malware Protection Engine, a component of the Microsoft Defender antivirus, to fix this issue.
This bug is tracked as CVE-2019-1255. Microsoft credited Charalampos Billinis of F-Secure Countercept and Wenxu Wu of Tencent Security Xuanwu Lab with discovering this issue.