Skip to content
Naked Security Naked Security

Microsoft rushes out fix for Internet Explorer zero-day

Microsoft has rushed to patch two flaws affecting IE versions 9 to 11, one of which the company says is being exploited in real attacks.

Windows users always struggled to live securely with Internet Explorer – and now it’s been superseded in Windows 10, it’s as if they’re now struggling to live securely without it.

Witness this week’s rush by Microsoft to patch two high-priority flaws affecting IE versions 9 to 11, one of which is a zero-day the company says is being exploited in real attacks.

The zero-day (CVE-2019-1367) was reported to Microsoft by Clément Lecigne of Google’s Threat Analysis Group. It’s a remote code execution (RCE) flaw in the browser’s scripting engine that could allow an attacker to:

… install programs; view, change, or delete data; or create new accounts with full user rights.

No further details have been made public in the advisory, but as with most browser vulnerabilities, exploitation would involve luring unpatched users to a malicious website.

No big deal?

Because IE is only used by a few percent of users, in theory this minimises the scope of the flaw.

However, because IE code still lurks in every version of Windows, including Windows 10, the number of people actively using it might not be the whole story.

Some will have activated it on their Windows 7 and 8 computers in the past, which means they could still be vulnerable if it’s set as the default browser or they can be persuaded to visit an infected website using it.

On Windows 10, IE has to be consciously activated, so anyone who’s not done this should be OK because Microsoft’s Edge or another unaffected browser will be the default.

Interestingly, the update must be done manually, during which the installer assesses whether the user’s systems needs it or not – this implies Windows 10 users at least should be safe.

IE scripting flaws aren’t exactly unheard of, as demonstrated by a proof of concept exploit from earlier this year, or CVE-2018-8653 from late 2018.

Microsoft Defender flaw

The second part of this week’s update patches CVE-2019-1255, a denial of service vulnerability in Windows’ built-in security engine, Microsoft (formerly Windows) Defender.

Essentially, an attacker could exploit this to “to prevent legitimate accounts from executing legitimate system binaries.” In other words, to stop it from working correctly.

The updated version is Microsoft Malware Protection Engine version 1.1.16400.2.

IE 10 support ended in January 2016. As for version 11, as far as we can tell from Microsoft’s documentation, this will be supported for as long as the versions on which it is integrated are themselves supported. For some Windows 10 versions, that implies support far into the future.

10 Comments

Why doesn’t Microsoft contact there customers on this? Surely they can afford contact with us regarding the fixes or place it on Facebook to where we go to their site…and I know that can be done with the right network administrator.

Microsoft’s own security chief told everyone back in February of this year, to stop using IE, and move on to a more modern browser, a better Security solution is just to uninstall IE in the first place in W10…. Settings > Apps > optional features.

They did but it’s retained inside Windows 10 for reasons of backwards compatibility. However, the risk from these flaws should only be to customers actively using IE.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?