Microsoft Corp. yesterday issued out-of-band updates for a pair of security vulnerabilities, one in Internet Explorer and one in its Defender anti-malware software for Windows.
Discovered by Clément Lecigne of Google’s Threat Analysis Group and designated CVE-2019-1367, the IE bug is a memory corruption vulnerability that can be exploited for remote code execution in the context of the current user. If the current user has admin rights, then the attacker would have the power to install malicious programs, view and manipulate data and create new accounts.
Such an attack could be executed by sending potential victims emails that trick them into visiting a specially crafted website, viewed with IE.
Fixes for IE 11, 10 and 9 across various platforms have been released for downloading through security updates.
Meanwhile, the Microsoft Defender vulnerability, CVE-2019-1255, is a denial of service condition caused by mishandling of files.” An attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries,” warns a vulnerability advisory from the software giant. However, “To exploit the vulnerability, an attacker would first require execution on the victim system.”
In addition to Microsoft Defender itself, affected products include Microsoft System Center Endpoint Protection, 2012 Endpoint Protection and 2012 R2 Endpoint Protection, as well as Microsoft Forefront Endpoint Protection 2010 and Microsoft Security Essentials. Reported by Charalampos Billinis of F-Secure Countercept and Wenxu Wu of Tencent Security Xuanwu Lab, the vulnerability was fixed in version 1.1.16400.2 of the Microsoft Malware Protection Engine.
Generally speaking, patching this vulnerability should not require user action, as Microsoft pushed it out to users who are configured to receive automatic updates. Users are encouraged to verify that they are receiving automated software updates.
The Defender update followed a series of reports last week that users were complaining on various tech support sites that Defender was performing incomplete scans that lasted only a few seconds.