Microsoft releases emergency patch for zeroday in Internet Explorer

Microsoft has released a security update for a zero-day vulnerability in Internet Explorer. According to the company, that leak was actively exploited, although it does not release details about how exactly that happens. The patch also includes a fix for Microsoft Defender.

The vulnerability is known by the code CVE-2019-1367. According to Microsoft, this is a vulnerability in the way the script engine handles objects in the working memory. This allows an attacker to manipulate the working memory and thus perform a remote code execution from another website. If the user is logged in as an administrator, an attacker can install programs. It is also possible to get admin rights for victims who are logged in as regular users. According to Microsoft, the vulnerability is at least in Internet Explorer 9 to 11.

Such vulnerabilities are more common in Internet Explorer. These are usually fixed during ‘Patch Tuesday’, the monthly day that all available patches are distributed in one go. Now Microsoft is releasing an emergency patch, meaning the vulnerability was exploited in the wild. The vulnerability was discovered by Clément Lecigne, a researcher at Google’s Threat Analysis Group. That’s the same group that recently discovered vulnerabilities in iOS that were being actively exploited. It is not known whether these are comparable attacks and attackers.

The patch also fixes a vulnerability in Microsoft Defender. This concerns CVE-2019-1255. That leak is a denial-of-service vulnerability. An attacker who already has access to a system can cause Defender to give a false positive. This causes an application to be blocked incorrectly. The two vulnerabilities are unrelated.