MICROSOFT HAS RUSHED OUT an emergency patch to fix security flaws affecting Internet Explorer and Windows Defender.
The first is a remote code execution (RCE) flaw, indexed as CVE-2019-1367. This zero-day vulnerability affects Internet Explorer (IE) versions 9, 10 and 11 - which are still widely used - and exploits in the way in which Microsoft's "scripting engine handles objects in memory in IE".
According to Microsoft, attackers could exploit this vulnerability by luring potential targets (using spam email, malvertising campaigns, search engine ads, IM spam, and others) to visit a booby-trapped website using Internet Explorer.
The flaw could corrupt a system's memory and allow attackers to run arbitrary code in the context of the current user. Exploiting the flaw successfully enables an attacker to attain the same user rights as the current user.
So, if a user is logged on as a system admin, a successful attack could enable hackers to take full control of the affected system. After gaining admin rights, an attacker would become able to edit or delete data, install new programmes and create new accounts.
This RCE vulnerability, which was discovered by Clément Lecigne of Google's Threat Analysis, is already being exploited in the wild, according to Microsoft.
The second vulnerability patched on Monday is a Denial of Service (DoS) bug affecting Windows Defender tool.
It is tracked as CVE-2019-1255 and was found by Wenxu Wu and Charalampos Billinis of Tencent Security Xuanwu Lab and F-Secure Countercept, respectively.
Microsoft said that an attacker could exploit this bug to prevent legitimate users from running legitimate system binaries. However, they would first need execution on the victim's system to exploit the vulnerability.
There are no reports, so far, of the flaw being actively exploited by attackers. µ
Watch your back, Huawei
Porn-based prattery gets fisted
As long as it follows the rules
The Home in the home could be a legal minefield