Microsoft developers released emergency patches for problems CVE-2019-1367 and CVE-2019-1255, thereby eliminating two 0-day vulnerabilities: in the scripting engine of Internet Explorer and Microsoft Defender.The most serious of these two problems is the vulnerability in Internet Explorer, since it allows remote execution of arbitrary code in the context of the current user, and it is already exploited by attackers.
“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user”, — reported in a Microsoft message.
Microsoft has not yet released details about this vulnerability. It is said that the problem is present at least in IE 9-11, and to implement the attack, the attacker just needs to lure the user of the vulnerable version of Internet Explorer to a malicious site.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email”, — report in Microsoft.
Interestingly, judging by the security bulletin, for now, Windows users will have to download the patch from the Microsoft Update Catalog and manually launch it on their systems.
Through Windows Update, a fix is not yet available.
Google experts discovered the problem in Internet Explorer. Recalling, same experts recently revealed attacks on iPhone users, and then was reported about unknown attackers, which used similar tactics against Android and Windows users. However, it is not yet clear whether the 0-day bug discovered by researchers in IE is related to those attacks.
Vulnerability in Microsoft Defender (formerly Windows Defender), in turn, is a denial of service (DoS) problem.
Fortunately, in order to exploit this vulnerability, an attacker would first need to gain access to the victim’s system and find a way to execute the code. If these conditions are met, the bug allows the attacker to disable Microsoft Defender components, however, if the attacker already has rights to execute the code on the victim’s computer, he can use many other methods for invisibly executing malicious code, for example, fileless attacks.
User Review( votes)