There is no word on which threat actor is abusing the severe vulnerability for attacks.
Microsoft is urging Windows users to install an emergency security patch to address a critical vulnerability that affects multiple versions of Internet Explorer (IE) and is under active exploitation by unspecified bad actors.
The company’s advisory notes that the zero-day, listed as CVE-2019-1367, is a remote code execution vulnerability that has to do with how the browser’s scripting engine handles objects in memory. It affects IE versions 9, 10 and 11.
If exploited, the security hole could allow remote attackers to run malicious code on the affected system, giving them the same privileges as those of the current user. If the user is logged in with admin rights, the attackers could take complete control of the system to install malware, steal or tamper with data, and set up accounts with full user rights.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email,” said Microsoft. The bug has also prompted a warning from the United States’ Cybersecurity and Infrastructure Security Agency (CISA).
IE users are advised to install the updates post-haste. To do so, some user action is needed, such as by following the links to the update packages that are listed in the advisory. Microsoft has also issued temporary workarounds for users who cannot implement the fixes promptly. Various statistics put the market share of the browser’s eleventh version at between 2.6 percent and 7 percent.
The IE bug isn’t the only issue that Microsoft is fixing this week and separately from the usual security update cycle known as Patch Tuesday. Also being patched is a denial-of-service flaw that affects Windows Defender. The latter bug, designated as CVE-2019-1255, is not as severe and there are no known cases of it being actively exploited for attacks. No user action is required to plug this hole, as the update will be shipped automatically within a few days.
written by Tomas Foltyn, ESET We Live Security