Highlights and Updates

Microsoft Patches IE Zero-Day Among 74 Vulnerabilities

Wednesday, 13th November 2019

The NovemberPatch Tuesday update fixed 13 critical flaws, including a zero-day bug inInternet Explorer.

Patch Tuesday is back once again, bringingwith it 74 security fixes, 61 of which are classified as Important and 13 asCritical, including one Internet Explorer bug under active attack.

Microsoft today released fixesfor CVEs across Windows, Internet Explorer, Microsoft Edge, Office and Office365, ChakraCore, Exchange Server, Open Source Software, and Visual Studio.

The vulnerability currently beingexploited in the wild is CVE-2019-1429, a scripting engine memory corruptionvulnerability in Internet Explorer. A remote code execution flaw exists in theway the scripting engine handles objects in memory in IE, and it could corruptmemory in such a way that an attacker could execute arbitrary code in thecontext of the current user.

Attackerswho successfully exploited this vulnerability could gain the same user rightsas the current user. If the user is logged in with administrator privileges,the attackers could exploit the vulnerability to take control of an affectedsystem. From there, they could install programs; view, edit, or delete data; orcreate new accounts with full user rights.

Todo this, the attackers could host a website designed to exploit the bug throughInternet Explorer and convince the target to visit the site. Alternatively,they could embed an ActiveX control labeled "safe for initialization"within an app or Office document that hosts the IE rendering engine and tricksomeone into opening it. In the latter scenario, the victim wouldn't need touse IE to be infected, meaning they should patch even if they don't rely on thebrowser. Read More