Microsoft Patches IE Zero-Day Bug

Written by

Microsoft released fixes for 75 vulnerabilities during this month’s patch update round, including one zero-day flaw in Internet Explorer.

The bug in question, CVE-2019-1429, exists in the way the scripting engine handles objects in memory in the browser, corrupting memory so an attacker can execute arbitrary code, according to Microsoft.

“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” it explained.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked 'safe for initialization' in an application or Microsoft Office document that hosts the IE rendering engine."

An attacker could also take advantage of compromised websites and those that accept or host user-provided content or ads, Microsoft continued.

Another one to watch is CVE-2019-1457, a publicly disclosed vulnerability in Excel which could bypass security features.

“An attacker could embed a control in an Excel worksheet that specifies a macro should be run. Whatever is executed in the macro that was triggered by bypassing the security settings of Excel would be the real risk of this vulnerability,” explained Ivanti director of security solutions, Chris Goettl.

“This vulnerability is not currently being exploited in the wild, but since it has been publicly disclosed, threat actors have had a jump start on being able to develop an exploit to take advantage of the CVE. This puts the vulnerability at higher risk of exploitation.”

Microsoft has also issued an advisory on a flaw in some Trusted Platform Modules (TPM) chipsets from STMicroelectronics, which may require a firmware update to the TPM.

Elsewhere, Adobe issued patches for 45 critical vulnerabilities in Acrobat and Reader that should be prioritized for workstations.

What’s hot on Infosecurity Magazine?