It’s not a Patch Tuesday, but Microsoft is rolling out emergency out-of-band security patches for two new vulnerabilities, one of which is a critical Internet Explorer zero-day that cyber criminals are actively exploiting in the wild.
Discovered by Clément Lecigne of Google’s Threat Analysis Group and tracked as CVE-2019-1367, the IE zero-day is a remote code execution vulnerability in the way Microsoft’s scripting engine handles objects in memory in Internet Explorer.
The vulnerability is a memory-corruption issue that could allow a remote attacker to hijack a Windows PC just by convincing the user into viewing a specially crafted, booby-trapped web-page hosted online, when using Internet Explorer.
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” Microsoft says in its advisory.
The vulnerability affects Internet Explorer versions 9, 10, 11, and though users should always deploy updates for every installed software when available, it is highly recommended to use an alternative, more secure web browsers like Google Chrome or Mozilla Firefox.
Microsoft said this vulnerability is being actively exploited in the wild by attackers but did not reveal any further details about the exploit campaign.
Google recently also detected a widespread iPhone hacking campaign that indiscriminately targeted users for over two years, but Apple accused the tech company of creating a false impression of “mass exploitation.”
Microsoft also released a second out-of-band security update to patch a denial-of-service (DoS) vulnerability in Microsoft Defender, an anti-malware engine that ships with Windows 8 and later versions of Windows operating system.
Discovered by Charalampos Billinis of F-Secure and Wenxu Wu of Tencent Security Lab and tracked as CVE-2019-1255, the vulnerability resides in the way Microsoft Defender handles files and exists in Microsoft Malware Protection Engine versions up to 1.1.16300.1.
According to an advisory published by Microsoft, an attacker could exploit this vulnerability “to prevent legitimate accounts from executing legitimate system binaries,” but in order to exploit this flaw, the attacker would “first require execution on the victim system.”
The security update for Microsoft Defender is automatic, and therefore will be applied automatically through the Microsoft Malware Protection Engine within the next 48 hours. The flaw has been addressed in the Microsoft Malware Protection Engine version 1.1.16400.2.
Since both the security updates are part of Microsoft’s emergency updates and one of which even addresses the flaw being exploited in the wild right now, users are advised to deploy them as soon as possible.