Microsoft has released out-of-band patches for Internet Explorer and Microsoft Defender products. The IE zero-day bug is marked critical and is being actively exploited in the wild.
In the first update, Microsoft fixed a critical remote code execution vulnerability CVE-2019-1367. The issue impacts the way the scripting engine handles objects in memory in Internet Explorer. To add, Microsoft also confirmed attackers are exploiting the issue in the wild.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” Microsoft noted in the advisory.
Organizations should make sure users do not login to their PCs with administrative rights to do normal business. Otherwise, attackers could exploit the vulnerability under the context of the logged in user take control of affected system.
In the second update, Microsoft addressed a denial of service vulnerability (CVE-2019-1255) in Microsoft Defender and the way it improperly handles files.
“An attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries,” Microsoft added.
These out-of-band patches come after Microsoft released the September security updates earlier this month.