Microsoft has released two unscheduled security updates, one of which patches a critical Internet Explorer vulnerability that attackers are actively exploiting in the wild.
The IE vulnerability, tracked as CVE-2019-1367, is a remote code execution flaw in the way that Microsofts scripting engine handles objects in memory in IE. The vulnerability was found by Clément Lecigne of Googles Threat Analysis Group, which is the same group that recently detected an advanced hacking campaign that targeted iPhone users. Researchers from security firm Volexity later said the the attackers behind the campaign also targeted users of Windows and Android devices. Its not clear if the IE vulnerabilities Microsoft is fixing now have any connection to that campaign.
Mondays advisory said attackers could exploit the vulnerability by luring targets to use IE to visit a booby-trapped website.
Microsoft officials wrote:
The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user… An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The advisory said the vulnerability is being actively exploited in the wild, but it didnt elaborate on the attacks. The vulnerability affects IE versions 9, 10, and 11. IE has fallen out of favor since the release of the Edge, which researchers widely agree is more resistant to hacking attacks. IE users who can switch to the latest version of Edge should do so. IE users who are unable to change browsers should install Mondays out-of-band update immediately. Updates should be available automatically. Those for Windows 10 are also available here.
Separately, Microsoft released an additional unscheduled update on Monday to fix a denial-of-service vulneraRead More – Source
