Microsoft Releases Emergency Patch for Windows to Address IE Zero-Day Vulnerability
Microsoft have announced the discovery of a new Zero-Day vulnerability effecting Internet Explorer. The vulnerability has been indexed as CVE-2019-1367.
While a number of vulnerabilities were identified, the most severe is the Zero-Day weakness in Internet Explorer which effects versions 9, 10 and 11. This vulnerability is around a remote code execution flaw that, if exploited successfully, could enable an attacker to gain the same user permissions as the current user and execute arbitrary code.
The risks are significantly increased if the attacked user is an administrator. In this scenario, the attacker could gain elevated privileges and “install programs; view, change or delete data; or create new accounts.”
Microsoft warns: “In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email”.
Updates to fix the vulnerability have been released two weeks after Microsoft resolved 79 other security vulnerabilities in its September patch, with 17 of them classified as Critical. However, the required updates to resolve this specific vulnerability is not currently available through either Windows Update or Windows Server Update Services (WSUS). It is therefore imperative that organizations utilize alternative solutions to apply this update to their devices and network platforms.
Certero customers with the Distribution module (part of the ‘Certero for Enterprise ITAM’ product) will be able to install this update on all systems where the Certero client agent is installed. A step-by-step guide is available within our Customer Center portal.
If you are not yet a Certero customer, take this opportunity to speak to one of our experts about how integrated ITAM and SAM solutions can help you manage all aspects of IT Governance and Security. Alternatively, you can contact us to arrange a call back.