[SingCERT] Microsoft Out-Of-Band Security Updates (CVE-2019-1367 and CVE-2019-1255)

Published on 24 Sep 2019

Updated on 23 Oct 2019

Background

Microsoft has released two out-of-band security updates to address vulnerabilities discovered in Internet Explorer and Microsoft Defender

  • CVE-2019-1367 - This is a remote code execution vulnerability in Internet Explorer. It exists in the way that the scripting engine mishandles objects in memory, thereby allowing an attacker to execute arbitrary code in the context of the current user. It has a Common Vulnerability Score System (CVSS) v3.0 severity base score of 7.5 out of 10.

  • CVE-2019-1255 - This is a denial of service vulnerability that exists when Microsoft Defender improperly handles files. An attacker could exploit the vulnerability to prevent the execution of legitimate system binaries. It has a CVSS v3.0 severity base score of 3.2.


Affected Products
  • Internet Explorer versions 9, 10, and 11

  • Microsoft Defender versions prior to 1.1.16400.2


Impact

Successful exploitation of the vulnerability could allow attackers to perform remote code execution and take control of the affected systems to perform malicious activities, including unauthorised installation of programs, creation of rogue administrator accounts and viewing, changing, or deletion of data.

Recommendation

Users and system administrators using the affected products are strongly encouraged to apply the security updates immediately.

References

[1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367
[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1255
[3] https://support.microsoft.com/en-us/help/4522007/cumulative-security-update-for-internet-explorer
[4] https://www.bleepingcomputer.com/news/security/microsoft-issues-windows-security-update-for-0day-vulnerability/