Microsoft has released an emergency out-of-band security update to fix a zero-day vulnerability in the Internet Explorer (IE) scripting engine and a Microsoft Defender denial-of-service (DoS) vulnerability. The IE bug, tracked as CVE-2019-1367, exists in the way the scripting engine in IE handles objects in memory. An attacker can host a specially crafted website that is designed to exploit the vulnerability through IE and then convince a user to view the website. This can trigger memory corruption leading to remote code execution, allowing the attacker to gain the same user rights as the victim. System administrators are encouraged to apply the out-of-band patch as exploitation of CVE-2019-1367 has been detected in the wild. Note that IE on Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016 and 2019 already have mitigation measures in place as IE is configured to run on restricted mode (Enhanced Security Configuration), which minimises the likelihood of accidental download or running specially crafted web content on a server.
Microsoft has also patched a DoS flaw in Microsoft Defender, tracked as CVE-2019-1255. The vulnerability is due to improper handling of files, which can prevent legitimate accounts from executing legitimate system binaries. An attacker, with access to a compromised Windows system, can trigger the bug to disable Defender components from executing. Microsoft has released update v1.1.16400.2 to the Microsoft Malware Protection Engine, and the update will be automatically pushed to affected systems.
References:CVE-2019-1255 | Microsoft Defender Denial of Service Vulnerability
More Weekly Cyber Newsanalysis and insights
Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.
Ensign Systems Integration
Architecting and implementing cybersecurity solutions that bolster defences
Ensign Managed Security Services
Managing your security operations for advanced threat detection, continuous monitoring, and triage services