Posted on Tuesday, September 24 2019 @ 10:57 CEST by Thomas De Maesschalck
The exploit makes it possible to execute arbitrary code by luring a visitor to a specially crafted web page. Microsoft's Internet Explorer 9, 10, and 11 are affected, the Edge browser is safe.
The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user... An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.At the same time, the patch also fixes an unrelated denial-of-service vulnerability in Windows Defender. This bug is not as easy to exploit and can only be used to generate false positives, which could prevent the running of legitimate system binaries. Via: ARS Technica
The advisory said the vulnerability is being actively exploited in the wild, but it didn’t elaborate on the attacks. The vulnerability affects IE versions 9, 10, and 11. IE has fallen out of favor since the release of the Edge, which researchers widely agree is more resistant to hacking attacks. IE users who can switch to the latest version of Edge should do so. IE users who are unable to change browsers should install Monday’s out-of-band update immediately.
