Microsoft has taken the rare step of issuing an out-of-cycle patch this week to fix a critical vulnerability in Internet Explorer that is being used in active attacks.
The patch is for a remote code execution vulnerability in the scripting engine in IE, a bug that affects versions 9 through 11 of the browser. Microsoft said the vulnerability could be exploited through drive-by attacks on a malicious or compromised site. The bug is a memory corruption flaw and an attacker who is able to exploit it could gain full control of the victim’s machine. Microsoft issued the emergency patch on Monday and is encouraging customers to update as quickly as possible.
“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” the Microsoft advisory says.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Microsoft said that the vulnerability has been exploited in active attacks.
Although IE is not nearly the dominant force that it once was and only has about five percent of the desktop market share, it is still widely used in enterprises and zero days in IE tend to attract the attention of attackers. The attack scenarios for this vulnerability, known as CVE-2019-1367, are not complex, so installing the patch should be a priority for enterprise security teams.
“To exploit the vulnerability, an attacker would have to host the exploit on a malicious website and socially engineer a user into opening that website in Internet Explorer. In the case of a targeted attack, an attacker could include a link to the malicious website in an email or in a malicious email attachment (HTML file, PDF file, Microsoft Office document) that supports embedding the scripting engine content,” Satnam Narang, senior security response manager at Tenable Security, said in a post on the bug.
Microsoft said in its advisory that the vulnerability has been exploited in active attacks, although the company did not detail the attack scenarios.