Microsoft rushes out fixes for two zero-day security flaws affecting IE and Windows Defender

Zero-day security flaw affecting Internet Explorer is already being exploited in the wild

Microsoft has issued an emergency security update to patch two security vulnerabilities affecting Internet Explorer and Windows Defender.

Of these two, the first is a remote code execution (RCE) flaw, indexed as CVE-2019-1367. This zero-day vulnerability affects Internet Explorer (IE) versions 9, 10 and 11 - which are still widely used - and exploits in the way in which Microsoft's "scripting engine handles objects in memory in IE".

According to Microsoft, attackers could exploit this vulnerability by luring potential targets (using spam email, malvertising campaigns, search engine ads, IM spam, and others) to visit a booby-trapped website using Internet Explorer.

The flaw could corrupt system's memory and allow attackers to run arbitrary code in the context of the current user. Exploiting the flaw successfully enables an attacker to attain the same user rights as the current user.

So, if a user is logged on as a system admin, a successful attack could enable hackers to take full control of the affected system. After gaining admin rights, an attacker would become able to edit or delete data, install new programmes and create new accounts.

This RCE vulnerability is already being exploited in the wild, according to Microsoft.

The bug was discovered by Clément Lecigne of Google's Threat Analysis.

The patch to fix this vulnerability can only be installed manually after downloading it from Microsoft Update Catalog.

The second vulnerability patched on Monday is a Denial of Service (DoS) bug affecting Windows Defender tool.

It is tracked as CVE-2019-1255 and was found by Wenxu Wu and Charalampos Billinis of Tencent Security Xuanwu Lab and F-Secure Countercept, respectively.

Microsoft said that an attacker could exploit this bug to prevent legitimate users from running legitimate system binaries. However, they would first need execution on the victim's system to exploit the vulnerability.

There are no reports, so far, of the flaw being actively exploited by attackers.

Users don't need to download the patch for this bug, as Microsoft Malware Protection Engine will install the new patch automatically.