Microsoft Releases Out-of-Band IE, Defender Security Updates

microsoft ie defender emergency patch septemberMicrosoft released two out-of-band security patches to address critical issues for Internet Explorer (IE) and Microsoft Defender. While no exploit has been reported, Microsoft's advisory for CVE-2019-1367 stated that the IE zero-day scripting engine flaw has been observed in the wild and advised users to manually update their systems immediately. The Defender patch addresses a denial of service (DoS) vulnerability tracked as CVE-2019-1255, and can prevent legitimate users from executing legitimate system binaries and running other malware undetected. The US Computer Emergency Readiness Team (US-CERT) recommends downloading the emergency updates immediately.

[Read: September Patch Tuesday bears more remote desktop vulnerability fixes and two zero-days]

CVE-2019-1367 is a remote code execution (RCE) flaw that results in scripting engine errors while handling objects in memory in IE. Attackers can exploit this by luring IE users to malicious websites via spam emails or social engineering techniques to gain the same user rights as the current user. Considered a Critical security bug, the malicious actor can take control of the infected system, allowing them to install programs; view, change, or delete data; or create accounts with full user rights. Microsoft released patches for IE versions 9 to 10, mitigations for legacy systems, and workarounds should users be unable to update immediately.

CVE-2019-1255 can be abused when Defender improperly handles files, which an attacker can only exploit if he already has access to the victim’s system. Once exploited, it can prevent Defender components from running, allowing attackers to run malicious codes such as fileless attacks undetected. While exploits have not been observed in the wild, the update is ranked Important and has neither mitigating factors nor workarounds available.

[Read: Risks under the radar: Understanding fileless threats]

In our midyear security roundup, the abuse of unpatched vulnerabilities remain a popular method for unauthorized intrusions in enterprise systems. Users and enterprises are advised to download the security update immediately. Legacy systems can be protected using virtual patches from legitimate vendors.

Update as of 09:00AM, PST: 

Trend Micro Deep Security and Vulnerability Protection protect user systems from any threat that may target the vulnerabilities mentioned via the following DPI rule:

  • 1010003 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability

Trend Micro Tipping Point customers are protected from threats that may exploit the vulnerabilities via this MainlineDV filter:

  • 36206: HTTP: Microsoft Internet Explorer Scripting Engine Use-After-Free Vulnerability
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.