Microsoft on Monday released patches for two vulnerabilities, including an Internet Explorer zero-day and a denial-of-service (DoS) flaw affecting Microsoft Defender.
The zero-day Internet Explorer, recorded as CVE-2019-1367, was defined as a memory corruption problem which enables execution of remote code. The security hole impacts Internet Explorer 9, 10 and 11. Microsoft claims it is conscious of both newer and older variants.
“The vulnerability could corrupt memory so that in the present user context, an attacker could perform arbitrary code. An intruder who exploited the vulnerability effectively could achieve the same user privileges as the present user. If the present user is logged in with administrative user privileges, an intruder who exploited the vulnerability effectively might control the impacted system, “advised Microsoft.
A target user must be persuaded to visit a malicious website using a vulnerable version of the Internet Explorer to exploit this vulnerability.
For reporting on CVE-2019-1367, Microsoft has credited Google’s Threat Analysis Group’s Clément Lecigne. The Threat Analysis Group in Google has notified Microsoft of several vulnerabilities in the past that have been actively exploited by Windows and Internet Explorer, including CVE-2019-0676, CVE-2019-0808 and CVE-2018-8653.
No information on attacks exploiting CVE-2019-1367 were made accessible.
Microsoft noted that, by default, Internet Explorer runs on all supported Windows Server versions in a restricted mode called Enhanced Security Configuration, which would mitigate risk.
A workingaround has been provided to users who can not apply the patches for JScript.dll but can effect the functionality of functions and elements that depend on JScript.dll.
Microsoft’s second safety update on Monday patches a DoS vulnerability in Microsoft Defender, a Windows-based anti-malware tool.
The vulnerability, tracked as CVE-2019-1255, allows an offender who has access to the target system to’ prevent legitimate accounts from executing legitimate system binaries.’ This vulnerability is also affected by Microsoft Forehead Endpoint Protection 2010, Security Essentials, and System Center Endpoint Protection. The Tech Giant has updated its Microsoft Malware Protection Engine (Version 1.1.16400.2) to fix the vulnerability. Most users are not needed to act because malware protection engine updates are automatically provided by default.
Researchers from F-Secure and Tencent revealed the problem to Microsoft and there is no proof that it was exploited in the wild.