Microsoft has pushed out two emergency patches after an Internet Explorer zero day was spotted by Google security researchers being exploited in the wild.
CVE-2019-1367 is a vulnerability in IE’s scripting engine. It could be exploited by creating a “watering hole” website: when a user is tricked into visiting this, an attacker could take over their machine using remote code execution (RCE).
The scripting engine is responsible for handling objects in the memory of Internet Explorer. Microsoft noted: “The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.”
The Redmond software firm confirmed that it has already being exploited in the wild, and released a security update that changes how the scripting engine handles objects in memory. An RCE vulnerability means an attacker could take over a system and make changes regardless of where that device is located.
The actual details of the vulnerability and how it was exploited are a bit sparse, but Microsoft give away some clues as they note that in one scenario a threat actor could create a website and then trick an Internet Explorer user to visit it.
Once there Microsoft notes that: “If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.”
Internet Explorer Remote Code Execution
The vulnerability was first discovered by Clément Lecigne, a member of Google’s Threat Analysis Group.
Microsoft have quickly released a patch for Internet Explore that fixes the issue, but it’s not included in today’s general Windows update. Instead those who wish to fix the issue have a few options. The simplest is to download a security update for your version of Internet Explorer from the listed security updates found here.
Otherwise you can use the mitigation/workaround for the vulnerability CVE-2019-1367 in which Microsoft are advising users to do the following.
However, Microsoft is warning those that do chose to implement this workaround that they may have ‘reduced functionality’ in features or items that use jscript.dll. Internet Explorer versions 11, 10 and 9 will apparently not experience reduced functionally steaming from jscript.dll issues, but all others will.
Not taking any chances Microsoft has provide the community with command prompt to undo the work around detailed above.
One small mercy: hardly anyone users Internet Explorer.