Microsoft Releases Out-of-Band Security Updates

Microsoft Releases Out-of-Band Security Updates

Microsoft Urges Users to Install Emergency Patches

Microsoft released an emergency set of cumulative updates for Windows 10 devices running the May 2019 update (Windows 10 version 1903) and earlier.

The out-of-band security updates address two vulnerabilities, including a zero-day vulnerability in the Internet Explorer (IE) scripting engine that has been actively exploited in the wild as well as a Microsoft Defender bug.

The IE zero-day vulnerability (CVE-2019-1367) is a remote code execution flaw that could easily enable an attacker who successfully exploited it to gain the same user rights as the current logged-in user.

“If the current user is logged-on with administrative rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” stated Microsoft.

This flaw could also be exploited remotely and online; the attacker could even potentially host their own website specifically-designed to exploit the vulnerability within IE and then trick the end-user to view said website, via email or other means.

U.S. CERT Warns of Microsoft Vulnerabilities

The other released vulnerability (CVE-2019-1255) is a denial-of-service flaw in Microsoft Defender, Microsoft’s standard antivirus that ships with Windows 8 and later operating systems.

According to Microsoft, “an attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries.” The flaw allows an attacker to disable the Defender components from executing. Microsoft has released V1.1.16400.2 to the Microsoft Malware Protection Engine to resolve the concern.“Microsoft has released out-of-band security updates to address vulnerabilities in Microsoft software,” stated the U.S. Computer Emergency Readiness Team (CERT). “A remote attacker could exploit one of these vulnerabilities to take control of an affected system.”

These updates stand out seeing as Microsoft typically only releases security updates on Patch Tuesday, the second Tuesday of every month. Microsoft rarely changes their frequency of release unless the updates are considered critically important for security issues.

This release is indeed very important and all Windows users are strongly advised to patch as soon as possible. The update for the IE zero-day vulnerability is a manual update while the Defender bug will be patched automatically and silently within 48 hours of its availability.

Related Posts

If Vulnerabilities Can Take Down Even the Most Prepared, What Can You Do?

If Vulnerabilities Can Take Down Even the Most Prepared, What Can You Do?

April 20, 2024
In the News: Brute-force attacks surge worldwide, warns Cisco Talos

In the News: Brute-force attacks surge worldwide, warns Cisco Talos

April 17, 2024
In the News: Why 92% of Security Professionals Worry About Generative AI

In the News: Why 92% of Security Professionals Worry About Generative AI

April 16, 2024
April 2024 Patch Tuesday: Microsoft releases 147 fixes this month including 3 Critical Threats.

April 2024 Patch Tuesday: Microsoft releases 147 fixes this month including 3 Critical Threats.

April 9, 2024