Microsoft is rolling out an update to all variants of Windows 10 to fix a dangerous flaw in Internet Explorer. Known as CVE-2019-1367, the bug lets an attacker gain the same rights as the current user by exploting the way the scripting engine handles objects in memory.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” explained Microsoft.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.”
The patch is an out-of-band update, meaning it doesn’t follow Microsoft’s regular schedule of Patch Tuesday rollouts. It’s essentially an emergency fix, with the company deeming it a critical bug for many IE versions. The patch adjusts how the scripting engine handles the objects, removing the ability to gain user rights.
The rollout additionally patches CVE-2019-1255, a denial of service flaw in Windows Defender. With this bug, a hacker could exploit the anti-virus’ improper handling of files to stop users from running legitimate binaries.
Those who don’t want to wait for the update to reach them can find updates for Windows 10 and IE versions here. The quick patch follows an incident in May where a researcher published a zero-day IE exploit after Microsoft failed to address it.
Microsoft’s cybersecurity lead has previously noted that Internet Explorer is a legacy tool and should be avoided. Chromium Edge will soon release with an IE Mode, which lets users view old webpages while using a modern browser.