Microsoft has released security updates: fixed vulnerabilities in Internet Explorer and Windows Defender

1 Star2 Star3 Star4 Star5 Star (No ratings yet)


Microsoft has released emergency snap-in security updates for Windows and Windows Server that fix two critical security issues: Internet Explorer Zero Day Vulnerability (CVE-2019-1367) and Microsoft Defender Vulnerability (CVE-2019-1255)

Microsoft has released an emergency emergency security update that fixes two critical security issues: a remote day vulnerability in the Internet Explorer scripting engine that has already been reported, and a bug in Microsoft Defender.

These updates do not fit into the traditional release schedule because Microsoft typically releases security updates on the second Tuesday of the month. The company rarely violates this rule, and just such a case has occurred today.

Users are encouraged to install updates as soon as possible after they become available for installation on the OS.

Zero Day Vulnerability

Of the two problems fixed, the zero-day vulnerability in Internet Explorer is of most importance, since real cases of its operation have already been recorded.

Details of the attacks are still shrouded in mystery, because Microsoft is reluctant to disclose such details. We only know that Microsoft learned about the problem from Clement Lecigne, a member of the Google threat analysis group.

This Google team earlier this year found zero-day attacks on iOS devices directed against members of the Chinese Uyghur community, as well as Android and Windows users. It is unclear whether the issue fixed in IE is related to these attacks.

A very serious security issue that led to remote code execution was fixed.

According to Microsoft, “this vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.”

Microsoft described the attack as follows:

An attacker who successfully exploited a vulnerability gains the same rights as the current user. If the current user is logged on with administrator rights, an attacker could take full control of a vulnerable system. After that, he will be able to install programs, view, modify or delete data or create new accounts with full privileges.

To carry out an attack, an attacker must lure a victim using Internet Explorer to a malicious website, which is a rather trivial task of social engineering. To do this, you can use spamming, IM-spam, advertising on search engines, malicious advertising campaigns, etc.

There is some good news. According to StatCounter, Internet Explorer’s share fell to 1.97%. This means that the number of potential victims is relatively small, and the attacks will be limited in scope.

The fixed vulnerability is registered under the identifier CVE-2019-1367. In the security recommendations, Microsoft lists various workarounds to protect systems if it is not possible to install the update immediately.

Mistake in Microsoft Defender

The second fixed issue is the Denial of Service (DoS) vulnerability in Microsoft Defender, a standard system antivirus, formerly known as Windows Defender. Microsoft Defender ships with Windows 8 and later versions of Windows, including Windows 10.

Microsoft reports that “an attacker could exploit a vulnerability to prevent trusted accounts from executing secure system binaries.”

An attack will not be easy. An attacker should not only gain access to the victim’s system, but also be able to run the code.

This vulnerability allows cybercriminals with the rights to “execute code” on the victim’s PC to disable Microsoft Defender components. After that, they will have access to many ways to execute malicious code, for example, to carry out attacks with fileless threats.

Microsoft has released an update to the v1.1.16400.2 subsystem to fix this problem.

This vulnerability is registered as CVE-2019-1255. Microsoft says the problem was discovered by researchers from F-Secure and Tencent.