14 DAY TRIAL // Microsoft has released an out-of-band security update to resolve a vulnerability in Internet Explorer that the company says is already being exploited in the wild.
The flaw, which is detailed in CVE-2019-1367, is a scripting engine memory corruption vulnerability and could allow an attacker to take full control of an unpatched host.
The only way an attacker needs is to point users to a crafted website hiding malicious code specifically developed to exploit the vulnerability. Once this page is visited, the attacker can obtain the same rights as the logged-in user, so if an administrator account is used, this means full control of the system can be obtained.
All Windows versions affected
“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” Microsoft explains.
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Internet Explorer 9, 10, and 11 versions are all affected on Windows 7, Windows 8.1, and Windows 10. Windows Server hosts are also vulnerable unless the patch is applied.
The more awkward thing about this patch is that despite addressing an actively-exploited security flaw in Internet Explorer and thus being offered as an out-of-band update, it’s not shipped via Windows Update. The fix is only available as a manual update that users need to download and install on their devices from the Microsoft Update Catalog.