OP 06 October, 2019 - 12:01 AM
![[Image: windows-update-software.jpg]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2F1.bp.blogspot.com%2F-fs8y0ZTaLIY%2FXYnHa56adgI%2FAAAAAAAA1Ks%2Fio_4vU3GsPog4ONFouE0rRDCLpsEHpiIQCLcBGAsYHQ%2Fs728-e100%2Fwindows-update-software.jpg)
It's not a Patch Tuesday, but Microsoft is rolling out emergency out-of-band security patches for two new vulnerabilities, one of which is a critical Internet Explorer zero-day that cyber criminals are actively exploiting in the wild.
Discovered by Clément Lecigne of Google's Threat Analysis Group and tracked as CVE-2019-1367, the IE zero-day is a remote code execution vulnerability in the way Microsoft's scripting engine handles objects in memory in Internet Explorer.
The vulnerability is a memory-corruption issue that could allow a remote attacker to hijack a Windows PC just by convincing the user into viewing a specially crafted, booby-trapped web-page hosted online, when using Internet Explorer.
Quote:"An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system," Microsoft says in its advisory.
The vulnerability affects Internet Explorer versions 9, 10, 11, and though users should always deploy updates for every installed software when available, it is highly recommended to use an alternative, more secure web browsers like Google Chrome or Mozilla Firefox.
Microsoft said this vulnerability is being actively exploited in the wild by attackers but did not reveal any further details about the exploit campaign.
Google recently also detected a widespread iPhone hacking campaign that indiscriminately targeted users for over two years, but Apple accused the tech company of creating a false impression of "mass exploitation."
news link https://thehackernews.com/2019/09/window...o-day.html
