Microsoft has issued an emergency out of band security update to address two critical vulnerabilities impacting Internet Explorer and Windows Defender.
The flaws — indexed as CVE-2019-1367 and CVE-2019-1255 — made it possible for a remote attacker to take control of a target system and trigger a denial of service in Microsoft Defender, the antivirus app that ships with Windows software.
Of the two, the former is a zero-day vulnerability in Internet Explorer affecting versions 9, 10, and 11 and is the more severe one. The remote code execution flaw, if exploited successfully, could enable an attacker to gain the same user permissions as the current user and execute arbitrary code.
This can have serious consequences if the current user also happens to have administrative rights, which could then be leveraged by the bad actor to gain elevated privileges and “install programs; view, change, or delete data; or create new accounts.”
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email,” Microsoft cautioned in its advisory.
— Security Response (@msftsecresponse) September 23, 2019
Microsoft said the vulnerability is being actively exploited in the wild, but stopped short of providing more details.
The flaw was originally disclosed by Google Security’s Threat Analysis Group, the same white-hat hacker team which recently came under spotlight for uncovering a series of iOS exploits that were used to ethnically target Muslim minorities in China.
The updates come two weeks after the company resolved 79 other security vulnerabilities in its monthly patch on September 10, with 17 of them classified as Critical.
The fact that Microsoft chose to break its monthly update pattern and issue out of band fixes underscores the severity of the issues. If you’re a Windows user, you should waste no time installing the security updates.