It’s not Patch Tuesday, but Microsoft has issued a patch for a security flaw in its Internet Explorer browser that Google found was already being exploited in the wild by attackers.
The bug, CVE-2019-1367, is a remote code execution flaw affecting IE’s scripting engine. If exploited, an attacker could gain the same privileges of the current user and if the user is logged in with administrator rights, the attacker could “take control of an affected system”, according to Microsoft.
“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” it added.
The attacker could exploit the flaw via a malicious website or by tempting the user to open a rigged email.
Microsoft credited Clément Lecigne of Google’s Threat Analysis Group (TAG) for reporting the flaw. TAG is the group that brought to light multiple iOS vulnerabilities it said had been in use for at least two years. A week later Apple responded and criticised Google for “stoking fear among all iPhone users” when in fact it was targeted at the Uighur community in China.
Google TAG hasn’t released any details about the IE attacks, however a TAG member commended Microsoft getting the patch and advisory “out quickly”. Microsoft usually fixes all bugs on its standard Patch Tuesday update. on the second Tuesday of every month.
The US Department of Homeland Security’s cyber security unit has issued an alert about the new IE flaw.
“Microsoft has released out-of-band security updates to address vulnerabilities in Microsoft software. A remote attacker could exploit of these vulnerabilities to take control of an affected system,” the alert states.
Microsoft also provided an update for Microsoft Defender antivirus due to an issue an attacker could exploit to create a denial of service or stop it functioning as usual.
That bug, CVE-2019-1255, is rated an “important” security update to install however users won’t have to take any action as the update comes along with its usual malware definition updates. Technically this is not an out-of-band patch because Microsoft updates the engine all the time.
The issue affects the Microsoft Malware Protection Engine or mpengine.dll, which is used in multiple Windows Defender, Microsoft Security Essentials, Forefront Endpoint Protection, and Microsoft System Center 2012 Endpoint Protection.
Microsoft notes this update also includes defence-in-depth updates to help improve security-related features. The flaw was reported by Charalampos Billinis of F-Secure Countercept and Wenxu Wu, a research with Tencent Security Xuanwu Lab.