The critical vulnerability could also be exploited via a malicious Microsoft Office document.
Microsoft has shipped out a fix for a critical flaw in Internet Explorer (IE) that is being exploited in the wild. Tracked as CVE-2019-1429, the vulnerability is part of this month’s batch of regular security updates known as Patch Tuesday.
The zero-day is a remote code execution flaw that, according to Microsoft’s advisory, has to do with how the browser’s scripting engine handles objects in memory. The security hole affects all current IE versions and could be exploited by a threat actor to lure the victims to visit a malicious website via the browser.
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” said the technology giant. From there, the attackers could install programs, tamper with data; and create new accounts with full user rights.
Importantly, there’s another possible attack vector – and it doesn’t even require you to use IE for your typical web browsing needs. “An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine,” said Microsoft.
Details are sparse about the nature of the attacks exploiting the vulnerability, which was discovered independently by researchers from Google, Resecurity and iDefense Labs. Resecurity did say, however, that the flaw has probably been exploited in conjunction with a previously discovered vulnerability listed as CVE-2019-0880. The company stopped short of attributing the attacks to a particular APT group, but said that it believes that the attacks have been carried out by a cyberespionage group to target a range of victims in various parts of the world.
There are no known mitigating factors or workarounds for users who cannot implement the fix promptly. To be sure, the zero-day is not the only reminder why you should waste no time in plugging security holes, especially those that require little in the way of user interaction.
Neatly summarized in this table by the SANS Technology Institute, this month’s bundle of security patches fixes 74 flaws across various products and services, including Microsoft Edge, Office, Exchange Server, and Windows Hyper-V. Fifteen of the vulnerabilities have been given Microsoft’s highest severity ranking of “critical”, with the rest listed as “important”.