Emergency patch for Internet Explorer to stop attackers hijacking the web browser
Microsoft has rushed out an emergency patch for its Internet Explorer browser to address a critical flaw that is being exploited in the wild.
The flaw is said to be a scripting-engine memory-corruption bug designated CVE-2019-1367 and attackers are said to have built booby-trapped websites to exploit the flaw.
Microsoft typically issues patches and repairs as part of its monthly Patch Tuesday update cycle, but in serious cases such as this, it can issue emergency patches.
“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer,” said Microsoft in its advisory, which affects Internet Explorer version 9 to 11.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” it warned. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.”
“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Redmond warned. “In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.”
The patch addresses the vulnerability by modifying how the scripting engine handles objects in memory.
The IE vulnerability was reportedly discovered by engineer Clement Lecigne who works for Google’s Threat Analysis Group.
In March this year, Lecigne warned users of a couple serious zero-day vulnerabilities that affects both the Windows operating system and Google Chrome users.
Do you know all about security? Try our quiz!