IE zero-day under active attack gets emergency patch

[Karlston]

IE zero-day under active attack gets emergency patch

Denial-of-service flaw in Microsoft Defender also gets unscheduled fix.

Enlarge

Michael Theis / Flickr

Microsoft has released two unscheduled security updates, one of which patches a critical Internet Explorer vulnerability that attackers are actively exploiting in the wild.

 

The IE vulnerability, tracked as CVE-2019-1367, is a remote code execution flaw in the way that Microsoft’s scripting engine handles objects in memory in IE. The vulnerability was found by Clément Lecigne of Google’s Threat Analysis Group, which is the same group that recently detected an advanced hacking campaign that targeted iPhone users. Researchers from security firm Volexity later said the the attackers behind the campaign also targeted users of Windows and Android devices. It’s not clear if the IE vulnerabilities Microsoft is fixing now have any connection to that campaign.

 

Monday’s advisory said attackers could exploit the vulnerability by luring targets to use IE to visit a booby-trapped website.

 

Microsoft officials wrote:

The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user... An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The advisory said the vulnerability is being actively exploited in the wild, but it didn’t elaborate on the attacks. The vulnerability affects IE versions 9, 10, and 11. IE has fallen out of favor since the release of the Edge, which researchers widely agree is more resistant to hacking attacks. IE users who can switch to the latest version of Edge should do so. IE users who are unable to change browsers should install Monday’s out-of-band update immediately. Updates should be available automatically. Those for Windows 10 are also available here.

 

Separately, Microsoft released an additional unscheduled update on Monday to fix a denial-of-service vulnerability in the Microsoft Defender antimalware engine. Formerly known as Windows Defender, the antivirus service ships with Windows 8 and later versions.

 

An advisory Microsoft published Monday said attackers could exploit the flaw to “prevent legitimate accounts from executing legitimate system binaries.” Based on the wording of the advisory, the requirements for exploiting the vulnerability are high. For a DoS to be successful, the advisory said, “an attacker would first require execution on the victim system.” The advisory said there are no indications the flaw is being actively exploited.

 

Indexed as CVE-2019-1255, the vulnerability was privately reported to Microsoft by Charalampos Billinis of F-Secure Countercept and Wenxu Wu of Tencent Security Xuanwu Lab. The update should be updated automatically through the Microsoft Malware Protection Engine in the next 48 hours.

 

 

 

Source: IE zero-day under active attack gets emergency patch (Ars Technica)

[Bizarre™]

Quote

IE users who are unable to change browsers should...

 

...have switched browsers a long time ago.

 

[Karlston]

Microsoft releases emergency IE patches inside 'optional, non-security' cumulative updates

After posting patches yesterday that are directed at an Internet Explorer security hole claimed to be under active attack, Microsoft took the next step and released “optional, non-security” Win10 patches through Windows Update and WSUS. There’s remarkably little “there” there.

Pashaignatov / Getty Images

I’ve seen a lot of confusion about the security hole known as CVE-2019-1367 and what normal Windows customers should do about it. Part of the reason for the confusion is the way the fix was distributed – the patching files were released on Monday, Sept. 23, but only via manual download from the Microsoft Update Catalog.

 

On a Monday.

 

In the past few hours, Microsoft released a hodge-podge of patches that seem to tackle the problem. They’re “optional non-security” and “Monthly Rollup preview” patches, so you won’t get them unless you specifically go looking for them.

 

As a bit o' lagniappe, if you use Windows Update to install the sky-is-falling IE patch, you’ll get a bunch of additional marginally-tested patches along for the ride.

 

Here are the most important Win10 patches that appear to contain the IE/CVE-2019-1367 fix:

• Win10 1809 and Server 2019 – KB 4516077 – build 17763.774.
• Win10 1803 – KB 4516045 – build 17134.1039.
• Server 2016 - KB 4516061 - build 14393.3242.

I say “appear to contain” the fix because, as best I can tell, none of the documentation mentions CVE-2019-1367, the security hole that was fixed yesterday in an odd single-purpose cumulative update. These, too, are cumulative updates, but they're specifically identified as "non-security updates."

 

Which is disingenuous, at best. 

 

Those patches are only available if you click “Check for updates.” Microsoft would traditionally call them “optional, non-security” patches, but with the likely (if undocumented) presence of a separately identified out-of-band security patch, it’s hard to say what to call them. 

 

We don’t have a cumulative update for Win10 1903 just yet. We do, however, have a manually downloadable out-of-band patch for the IE problem in 1903, KB 4522016.

 

Over on the Windows 7/8.1 side of the fence, it appears as if the CVE-2019-1367 fix is part and parcel of the two Monthly Rollup Previews just released:

• Win7 – KB 4516048 – “Addresses an issue that may cause an error when opening or using the Toshiba Qosmio AV Center. You may also receive an error in the Event Log related to cryptnet.dll.”
• Win8.1 – KB 4516041 – Fixes the bug that prevented IE 11 from running on RT devices.

There’s no indication in the KB articles that either of these Previews fix the IE hole, but an independent check by AskWoody’s @EP shows that the Previews contain the latest IE file. That likely means the security hole has been plugged in the Previews.

 

At this point, I don’t see why the Windows blogosphere has tied itself in knots warning about the IE/CVE-2019-1367 security hole. Yes, Microsoft has said that it’s been exploited in the wild. No, we don’t have any more information. The folks who know aren’t talking. The most credible story I’ve seen involves a very targeted attack from the (reputedly) Korean group known as DarkHotel.

 

At any rate, for almost everybody, this appears to be yet another tempest in a teapot. My advice is to sit tight, don’t update anything, and stop using Internet Explorer.

 

Unless you’ve done something to make DarkHotel angry, of course.

 

Keep up with the latest on AskWoody.

 

 

Source: Microsoft releases emergency IE patches inside 'optional, non-security' cumulative updates (Computerworld - Woody Leonhard)

[Karlston]

What do we know about the big, scary, exploited, emergency-patched IE security hole CVE-2019-1367?

Short answer: nothing. Long answer: almost nothing. But we sure have a convoluted mess of a cleanup.

Thinkstock

Microsoft set the patching world on its ear on Monday when it released an "out of band" patch to fix a vulnerability known as CVE-2019-1367. Susan Bradley raised the alarm immediately. I chimed in a few hours later with more details.

 

Then, yesterday (Tuesday), Microsoft dumped its usual big bunch of "optional, non-security" Win10 patches and "Monthly Rollup Previews" which — we finally figured out — include the fix for CVE-2019-1367. I wrote about that in Computerworld.

 

Microsoft's official description of CVE-2019-1367 sounds like a zillion other descriptions:

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer.

The part that caught everyone's attention, though, was this one little entry in the description:

Woody Leonhard/IDG

That "Exploited: Yes" notation — and the fact that the patches were released on a Monday — set the Windows blogosphere into a meltdown. You’ve read the story: Microsoft says it’s exploited, so you better get patched right away! The sky is falling! 

 

What a crock. But the story sure drew a lot of clicks. A clickety crock.

 

Usually when Microsoft says a security hole has been "exploited" it means that some political group is using it to infiltrate another political group (or high-profile business) in very specific, targeted attacks. Microsoft has to worry about stuff like that. You don't.

 

In fact, when Microsoft released its original bunch of September patches a couple of weeks ago, it identified two of them — CVE-2019-1214 and CVE-2019-1215 — as “Exploited: Yes.” A few days later, very quietly, Microsoft turned both of them to “Exploited: No.” 

 

Some security folks get worked up about “Exploited: Yes.” Those of us who have been working with Microsoft patches for a while know that, even if a security hole is exploited, there’s frequently no reason for the average Windows customer to quake in their boots.

 

That said, there are some times when an exploited vulnerability warrants your immediate attention. But those cases are very few and far between.

 

I’ve been on a quest to see if there are any openly reported exploits that use this week’s bugaboo, CVE-2019-1367. So far I’ve come up with nothing. The people who know aren’t talking. The closest I’ve come is a little tweet from Costin Raiu, who works at Kaspersky:

Recently patched IE 0day (CVE-2019-1367) was used by DarkHotel, does not seem related to ongoing discussions re iOS/Android attacks.

That rings true, at least to my ear. (Cyware describes DarkHotel as “a North Korea-linked threat actor group that has been active since at least 2007”). If there are any attacks out in the open, I sure can’t find them.

 

Quite frankly, I don’t see anything about CVE-2019-1367 that makes it any different from dozens of other 0days out there. We seem to hit one or two in the Windows patching game every month.

 

So why the horrendously sloppy reaction from Microsoft?  Why did we get single-purpose manual-install-only patches on Monday, followed by “optional non-security” updates (which clearly include security patches) and Monthly Rollup Previews (with undocumented security patches) on Tuesday?

 

I don’t know. But it certainly set the patching world topsy-turvy. 

 

Make no mistake. This isn’t your grandfather’s out-of-band patch. Usually out-of-band patches tend to be orderly, released for all versions of Windows at once, highly publicized, and available through the various update services. This series of patches looks more like a Keystone Kops attack.

 

Do you think that Microsoft’s cleaned up its Windows patching mess?

 

Let me know on AskWoody.com.

 

 

Source: What do we know about the big, scary, exploited, emergency-patched IE security hole CVE-2019-1367? (Computerworld - Woody Leonhard)