Microsoft Corp. yesterday re-released a security update for CVE-2019-1367, a critical remote execution bug in Internet Explorer that has been actively exploited. The new release expands upon the previous emergency out-of-band update, which took place Sept. 23.
According to reports, the company’s earlier effort to distribute a patch was only available on a limited basis via its Microsoft Update Catalog, which must be manually downloaded. This time, the update available to the masses via Windows Update and Windows Server Update Services.
Additionally, the new version fixes several errors with the original update, including an issue with the print spooler services that could result in failed print jobs, and another issue that could cause an error after installing Features on Demand.
Discovered by Clément Lecigne of Google’s Threat Analysis Group and designated CVE-2019-1367, the IE bug is a memory corruption vulnerability that can be exploited for remote code execution in the context of the current user. If the current user has admin rights, then the attacker would have the power to install malicious programs, view and manipulate data and create new accounts.
Such an attack could be executed by sending potential victims emails that trick them into visiting a specially crafted website, viewed with IE.
Gloss