Microsoft today issued a rare emergency security update for Internet Explorer to address a critical flaw in the browser that's being exploited right now in the wild.
Redmond says the vulnerability, a scripting-engine memory-corruption bug designated CVE-2019-1367, can be abused by a malicious webpage or email to achieved remote code execution: that means Windows PCs can be hijacked by viewing a suitably booby-trapped website, or message, when using Internet Explorer. Malware, spyware, and other software nasties can be injected to run on the computer, in that case.
Discovery of the flaw, and its exploitation in the wild by miscreants to commandeer systems, was attributed to Clément Lecigne of the Google Threat Analysis Group. The programming blunder is present in at least IE 9 to 11.
Such flaws are not uncommon, and Microsoft typically patches anywhere from 10-20 browser and scripting engine remote code execution bugs each month with the Patch Tuesday bundle. Because they allow remote code execution with little or no user warning or interaction, Redmond considers such bugs to be critical security risks.
In this case, the severity of the flaw combined with the fact that vulnerability is being actively targeted has prompted Microsoft to break its normal patch cycle and release the update today, rather than wait until October 8 when the next Patch Tuesday drop is due to arrive.
Granted, Internet Explorer is not the ubiquitous web browser it once was. According to figures from Netmarketshare, IE lags behind Chrome and Firefox, accounting for just 8.3 per cent of the desktop world. Microsoft is pushing users to move to its newer Edge browser and its improved security protections.
Even those who don't use IE as their primary browser are likely to still have it installed on their PCs, however, so it's worth downloading and installing this patch (via Windows Update for most) even if you don't use IE often.
While you're updating, grab this Windows Defender fix
Microsoft also dropped a fix for a less-severe denial of service vulnerability in the Windows Defender security tool.
CVE-2019-1255 describes a file-handling error in Defender that will cause the security tool to generate a false positive when scanning an application. An attacker who already has access to the system could abuse the feature to make the tool block some applications.
"An attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries," Microsoft said.
Because the flaw would only prevent access, and because it already requires the attacker to have code already running on the target machine, this flaw should be considered a far lower priority than the IE bug. It has not been previously disclosed nor targeted in the wild.
In most cases, users will not even notice the update being installed, as the fix is automatically pushed out with the Malware Protection Engine update. Credit for the discovery was given to Charalampos Billinis of F-Secure Countercept and Wenxu Wu of Tencent Security Xuanwu Lab. ®