Microsoft Addresses Vulnerabilities in IE, Microsoft Defender
Microsoft this week issued "out-of-band" security advisories for Internet Explorer (IE) and the Microsoft Defender anti-malware service.
The IE vulnerability (CVE-2019-1367) is a remote code execution flaw that's rated "Critical" and "Moderate." This vulnerability has been exploited, although the exploit code isn't public.
The IE vulnerability stems from how the browser's scripting engine handles objects in memory. The flaw permits an attacker to "execute code in the context of the current user," including system administrators if that's the case. It's present in IE 11 on Windows 10 and Windows Server 2019, IE 10 on Windows Server 2012, and IE 9 on Windows Server 2008 Service Pack 2.
There's no patch for the IE vulnerabilities until October. Update 9/25: Microsoft's Message Center page includes new information that optional Windows 10 updates released on September 24 and September 26 through Windows Update and the Microsoft Update Catalog contain a "mitgation for this vulnerability" in IE's memory handling. The Message Center post also explains a little why Microsoft didn't just push down a patch in the first place as it will require a system reboot to take effect.
Microsoft's security bulletin offered "mitigations" to run that will restrict access to the JScript Dynamic Link Library, although the mitigations "might result in reduced functionality" for some components. The one exception is use of JScript9.dll, which isn't affected. Windows Server Update Service users will need to "manually download this update from Microsoft Update Catalog to deploy" it, according to the advisory. More such details are described in this IE cumulative update article.
The other security advisory is about a vulnerability in Microsoft Defender (CVE-2019-1255), which could lead to denial of service. It's rated "Important," but the vulnerability hasn't been exploited or published yet.
No action is required to address the Microsoft Defender vulnerability, as Microsoft will simply update its anti-malware definitions, as well as the Microsoft Malware Protection Engine.
The Microsoft Malware Protection Engine is considered to be patched if it's at version 1.1.16400.2, Microsoft's advisory indicated. Microsoft updates the antimalware definitions and the engine once a month, or as needed. IT pros should verify the engine's version number and ensure that "their update management software is configured to automatically approve and distribute engine updates and new malware definitions," the advisory indicated.
The advisories, which fell out of Microsoft's usual "update Tuesday" security bulletin release cycle, were noted in this National Cyber Awareness System post.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.