Microsoft closes critical vulnerability in Internet Explorer that is being actively exploited

Microsoft has released a patch that closes a critical vulnerability. It is a vulnerability in Internet Explorer that allows attackers to execute code when the victim visits a malicious site or opens a modified Office document.

The fix for the vulnerability is part of the November Patch Tuesday package of fixes that Microsoft has been distributing via Windows Update since Tuesday. The security update deals with a total of 75 bugs, of which 11 are critical and 64 are called important.

The most risky vulnerability is labeled CVE-2019-1429. This bug, first discovered by Google Project Zero, is said to be actively exploited by attackers, according to Microsoft. The vulnerability lies in the way the scripting engine handles objects in Internet Explorer’s memory. “An attacker who manages to exploit the vulnerability could gain the same user rights as the current user. That way, he could take over the entire system, install programs, modify or delete data, or create new accounts with full user rights,” warns Microsoft.

Vulnerability CVE-2019-1429 cannot be exploited through a malicious website alone. There is also an attack scenario through an ActiveX control, marked as “safe for initialization”, that is embedded by the attacker in an application or in a Microsoft Office document.

The remaining ten critical bug fixes also include a fix for CVE-2019-1457, a workaround of a security feature in Excel discovered in October that has already been exploited.