HomesecuritySecurity Update: Microsoft fixes zero-day vulnerabilities in IE and Windows Defender

Security Update: Microsoft fixes zero-day vulnerabilities in IE and Windows Defender

Security Update: Microsoft has released an emergency security update to fix two security vulnerabilities affecting it Internet Explorer and Windows Defender.

Of these two, the first is a remote code execution (RCE) fault, registered as CVE-2019-1367. This zero-day Vulnerability affects Internet Explorer versions 9, 10, and 11 (which are still widely used) and exploits the way Microsoft's scripting engine handles objects in IE memory.

Microsoft products

According to Microsoft, hackers could exploit this vulnerability by attracting potential targets (using spam messages, malware, search engine ads, IM spam, etc.) to visit a site infected with Internet Explorer vulnerability.

The defect it could corrupt the system memory and allow attackers to execute arbitrary code within the legitimate user. Exploiting the defect enables an attacker to achieve the same user rights as the legitimate user.

Therefore, if a user logs on as a system administrator, a successful attack could allow hackers to gain full control of the affected systemic. Once it has administrator privileges, the attacker will be able to edit or delete data, install new programs, and create new accounts.

Security Update

This RCE vulnerability is already done exploit, according to Microsoft.

The patch to resolve this vulnerability can only be installed manually after downloading the patch from the Microsoft Update Catalog.

The second vulnerability that has been fixed is the Denial of Service (DoS) error that affects the Windows Defender tool.

Has been registered as CVE-2019-1255 and found by Wenxu Wu and Charalampos Billinis of Tencent Security Xuanwu Lab and F-Secure Countercept, respectively.

Microsoft said an attacker could exploit this error to prevent legitimate users from running legitimate system binaries. However, they first need to execute the system in order to exploit the vulnerability.

So far, there are no reports as to whether their error has been exploited hackers

Users do not need to download patch for this error, as well as Malware Protection Engine Microsoft will automatically install the new security update.