Microsoft has released an emergency out-of-band security update today to fix two critical security issues — a zero-day vulnerability in the Internet Explorer scripting engine that has been exploited in the wild, and a Microsoft Defender bug.
The updates stand out because Microsoft usually likes to stay the course and only release security updates on the second Tuesday of every month. The company rarely breaks this pattern, and it's usually only for very important security issues.
This is one of those rare occasions, and Windows users are advised to install today's updates as soon as possible. The patch for the IE zero-day is a manual update, while the Defender bug will be patched via a silent update.
The IE zero-day
Of the two bugs, the Internet Explorer zero-day is the most important one, primarily because it's already been exploited in active attacks in the wild.
Details about the attacks are still shrouded in mystery, and Microsoft rarely releases such details. What we know is that the attacks and the zero-day have been reported to Microsoft by Clément Lecigne, a member of Google's Threat Analysis Group.
This is the same Google threat intel team that has detected the attacks with iOS zero-days against members of the Chinese Uyghur community earlier this year. Those attacks also targeted Android and Windows users; however, it is unclear if the IE zero-day patched today is part of those attacks.
But what we know now is that IE zero-day is a very serious vulnerability. It is what researchers call a remote code execution (RCE) issue.
According to Microsoft, “the vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.”
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” Microsoft said. “If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The attack requires luring an Internet Explorer user on a malicious website, which is a rather trivial task, as it can be achieved by various methods such as spam email, IM spam, search engine ads, malvertising campaigns, and others.
The good news is that Internet Explorer usage has gone down to 1.97% market share, according to StatCounter, meaning the number of users vulnerable to attacks is rather small, and attacks should be pretty limited in scope.
The IE zero-day is tracked with the CVE-2019-1367 identifier. In a security advisory, Microsoft lists various workarounds for protecting systems if today's update can't be applied right away. The security advisory also contains links to the manual update packages, which Windows users will need to download from the Microsoft Update Catalog and run on their systems by hand. The patch for the IE zero-day won't be available via Windows Update.
Microsoft Defender DoS bug
The second issue fixed today is a denial of service (DoS) vulnerability in Microsoft Defender, formerly known as Windows Defender, the standard antivirus that ships with Windows 8 and later versions, including the widespread Windows 10 release.
According to Microsoft, “an attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries.”
The good news is that this bug isn't such a big issue. To exploit this bug, an attacker would first need access to a victim's system and the ability to execute code.
The bug allows a threat actor to disable Microsoft Defender components from executing, but if the attacker already has “execution rights” on a victim's computer, then there are many other ways to run malicious code undetected — such as fileless attacks.
Nevertheless, Microsoft has released update v1.1.16400.2 to the Microsoft Malware Protection Engine, a component of the Microsoft Defender antivirus, to fix this issue.
This bug is tracked as CVE-2019-1255. Microsoft credited Charalampos Billinis of F-Secure Countercept and Wenxu Wu of Tencent Security Xuanwu Lab with discovering this issue.