Critical IE Zero-Day Flaw Actively Exploited in the Wild

Microsoft issued a rare emergency security update for Internet Explorer to address a critical Zero-Day flaw in the browser that's being exploited in the wild. Run our Internet Explorer Zero-Day Vulnerability Audit Report to identify all critical IE installations in your network.

Microsoft has released an emergency security update to fix two critical security issues: a Zero-Day vulnerability in Internet Explorer (CVE-2019-1367), and a Windows Defender bug (CVE-2019-1255). Microsoft rarely releases security patches outside of their monthly Patch Tuesday Updates , usually only for high-severity security updates.

Tracked as CVE-2019-1367, the IE zero-day is a remote code execution vulnerability in the way Microsoft's scripting engine handles objects in memory in Internet Explorer.

Out of band security vulnerability fixes CVE-2019-1367 and CVE-2019-1255 have been released today. For more information please see https://t.co/QMUM53m8so and https://t.co/vy3d0wXWng . — Security Response (@msftsecresponse) September 23, 2019

In their advisory , Microsoft informs that "An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system."

The vulnerability affects Internet Explorer versions 9, 10, 11 and, believe it or not, there are still people using Internet Explorer. Microsoft security expert Chris Jackson published a dedicated post on the Windows IT Pro blog earlier this year, urging people to stop using Internet Explorer . Microsoft officially discontinued Internet Explorer in 2015 and then chose Edge as its modern browser for Windows 10.

Windows Defender Denial of Service Flaw

While you're updating, Microsoft also dropped a Windows Defender fix for a less-severe denial of service vulnerability in the Windows Defender security tool. CVE-2019-1255 describes a file-handling error in Defender where "An attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries".

Run the Windows Defender Audit Report

Audit Your Network for Vulnerable IE Installations

If you currently have Internet Explorer deployed on your workstations, it's pretty critical that you update it at the earliest opportunity to ensure that you don't fall prey to these vulnerabilities. Our custom IE Zero-Day Vulnerability Audit Report can tell you in no time which devices have an outdated Internet Explorer version in place and need to be patched.

Run the IE Zero-Day Vulnerability Audit

Internet Explorer Zero-Day Vulnerability Audit- Click to Enlarge

If you haven't already, start your free Lansweeper trial and get a list of all vulnerable IE versions in no time.