Microsoft Fixes Browser Zero-Day Vulnerability Discovered by Google

[The AchieVer]

Microsoft Fixes Browser Zero-Day Vulnerability Discovered by Google 

Microsoft has released a security update for Internet Explorer that resolves a vulnerability discovered by Google’s Threat Analysis Group.

Detailed in CVE-2019-0676, the security flaw can be exploited by simply pointing users to a malicious website, as Microsoft explains.

Internet Explorer improperly handles objects in memory, and Microsoft the information disclosure vulnerability impacts both Internet Explorer 10 and Internet Explorer 11 on Windows 7, 8.1, and 10.

“An attacker who successfully exploited this vulnerability could test for the presence of files on disk. For an attack to be successful, an attacker must persuade a user to open a malicious website. The security update addresses the vulnerability by changing the way Internet Explorer handles objects in memory,” the software giant explains.“Stop using Internet Explorer,” says MicrosoftMicrosoft notes that the flaw is already being exploited in the wild, and reveals that it was privately reported by Clement Lecigne of Google’s Threat Analysis Group.

Lecigne is the same security researcher who discovered several other high-profile bugs lately, including a remote code execution vulnerability in Internet Explorer in December. Furthermore, he is the one who came across iOS zero-days patched in the latest Apple software update.

The security patch for Internet Explorer is available as part of the cumulative updates for Windows 10and monthly rollups for Windows 7 and Windows 8.1 released on this month’s Patch Tuesday cycle.

Microsoft has recently recommended against using Internet Explorer, pointing out this is nothing more than a compatibility tool and not a modern browser. Microsoft is also migrating Microsoft Edge browser, the new default in Windows 10, to Chromium, the same browsing engine powering Google Chrome.

There are no details as to when the new browser could become available for users, but a preview build is expected in the coming months, possibly at the BUILD developer conference this spring.

 

 

Source