Microsoft has issued an emergency out-of-band patch for a critical remote code execution vulnerability in Internet Explorer.
CVE-2019-1367 is a bug in the browser’s scripting engine which affects how it handles objects in memory. Specifically, it could corrupt memory so as to allow an attacker to execute arbitrary code, according to a security update.
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft explained.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.”
Redmond’s patch modifies how the scripting engine handles objects in memory, in order to fix the issue.
The vulnerability affects Internet Explorer versions 9-11.
The critical bug represents another good reason why IE users should migrate to a modern browser. Yet although Microsoft has been trying to push them towards its Edge offering, the latest stats show it trailing Internet Explorer, with less than half of the legacy browser’s 5.87% market share.
Trustwave’s director EMEA of SpiderLabs, Ed Williams, said the emergency update underlines the importance of good patch management.
“It also highlights the importance of regular asset identification and vulnerability scanning of environments, for example, knowing what to patch once a vulnerability has been identified. We know that attackers are flexible and dynamic and will be looking to further leverage this vulnerability to suit their needs, be it financial or otherwise,” he added.
“While Internet Explorer isn’t as popular as it once was, it is still a rich target for attackers, and with the release of this patch, further emphasizes why it is a business risk when compared to other browsers.”