From a security perspective, it hasn’t been the best few weeks for Microsoft or Windows users for that matter. There have been so many serious security issues coming to the fore that “security warning fatigue” is becoming a real danger. Most recently I reported how a Windows 10 update broke Windows Defender. This was preceded by a critical Windows warning about a wormable exploit that had been weaponized. Before that, there was a “complete control” hack attack warning, another Windows update breaking things issue and a device driver design flaw leaving millions of Windows 10 users at risk. Now there’s more bad news, and also good news, as a zero-day vulnerability that is being exploited in the wild is confirmed by Microsoft. Here’s what you need to know and what you need to do now.
Critical Windows Zero-Day Vulnerability Confirmed
First, the good news. The Microsoft Security Response Center (MSRC) has confirmed an out of band Windows security update. The bad news is that, as reported by BleepingComputer, the fix for an already exploited in the wild zero-day vulnerability has to be installed manually following a download from the Microsoft Update Catalog.
The vulnerability, confirmed as CVE-2019-1367, is described as a “scripting engine memory corruption vulnerability” that impacts Internet Explorer 9 (on Windows Server 2008,) Internet Explorer 10 (on Windows Server 2012) and Internet Explorer 11 (on Windows 7, 8.1, Server 2008, Server 2012, Server 2019 and Windows 10.)
This remote code execution vulnerability makes it possible for an attacker to create a website that would trigger memory corruption and allow arbitrary code to be executed “in the context of the current user.”
What does that mean? If a threat actor successfully convinced you to visit the rogue website, by way of a phishing email for example, and you happened to be logged into Windows as an administrator, then full control of your system could be achieved. Malware could be installed, files could be deleted and new accounts created. Be in no doubt; this is a critical vulnerability and one that is already being exploited according to the Microsoft security update guide confirmation.
What do you need to do now?
BleepingComputer reports that while Microsoft has made the out of band security update available to fix CVE-2019-1367, it has to be installed manually. This is confirmed by Microsoft which said ” an updated scan file will not be available until the next security release in October 2019. As a workaround, you will need to download the September 2019 WSUS scan cab and then manually download this update from Microsoft Update Catalog to deploy.”
Microsoft also confirmed that there are mitigations available for some Windows users. The Enhanced Security Configuration mode that Internet Explorer on Windows Server 2008, Server 2012, Server 2016 and Server 2019 runs by default can “reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server,” Microsoft said.
There’s another workaround that restricts access to JScript.dll available here, but Microsoft said this could result in “reduced functionality.”
Microsoft recommends that to be fully protected, users should install the update as soon as possible. If you have implemented that JScript workaround, however, you will need to revert the mitigation before installing the update.