The critical vulnerability could also be exploited via a malicious Microsoft Office document
Microsoft has shipped out a fix for a critical flaw in Internet Explorer (IE) that is being exploited in the wild. Tracked as CVE-2019-1429, the vulnerability is part of this month’s batch of regular security updates known as Patch Tuesday.
The zero-day is a remote code execution flaw that, according to Microsoft’s advisory, has to do with how the browser’s scripting engine handles objects in memory. The security hole affects all current IE versions and could be exploited by a threat actor to lure the victims to visit a malicious website via the browser.
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” said the technology giant. From there, the attackers could install programs, tamper with data; and create new accounts with full user rights.
Importantly, there’s another possible attack vector – and it doesn’t even require you to use IE for your typical web browsing needs. “An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine,” said Microsoft.
Details are sparse about the nature of the attacks exploiting the vulnerability, which was discovered independently by researchers from Google, Resecurity and iDefense Labs. Resecurity did say, however, that the flaw has probably been exploited in conjun ..
Support the originator by clicking the read the rest link below.
