Skip to main content

Microsoft urgently patches two vulnerabilities

(Image credit: Image source: Shutterstock/BeeBright)

Microsoft has identified, and patched two serious vulnerabilities, one of which allowed hackers full control over the target system. The remote code execution zero-day vulnerability was found in Internet Explorer versions 9, 10 and 11, and allowed hackers to gain admin rights for a target system, or create new user accounts with admin rights, if necessary.

It dubbed the vulnerability CVE-2019-1367, and described it like this:

"A remote code execution vulnerability (opens in new tab) exists in the way that the scripting engine handles objects in memory in Internet Explorer."

The vulnerability, which was first discovered by Clément Lecigne from Google's Threat Analysis Group, allows hackers to execute arbitrary code, which means successful exploitation of the flaw would allow hackers to gain the same user rights as the current user. And if the current user has admin rights – they get admin rights, too.

With admin rights, further compromise is easy, as they could install programs, change and delete data and tamper with the system.

The second vulnerability, dubbed CVE-2019-1255, is a Denial of Service vulnerability for the Microsoft Defender (opens in new tab). Is not as dangerous, but could be used to prevent legitimate accounts from executing legitimate system binaries.

First uncovered by F-Secure Countercept’s Charalampos Billinis and Wenxu Wu from Tencent Security Xuanwu Lab, the vulnerability requires the hacker to first gain access rights on the victim system.

It doesn’t seem to be exploited at the moment.

Sead Fadilpašić
Sead Fadilpašić

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.