[German]On September 23, 2019, Microsoft unexpectedly released unscheduled security updates for Windows Defender, Microsoft Security Essentials, other security products, and Internet Explorer, which is expected to close vulnerabilities.
The information about the vulnerability was provided via Twitter, as Bleeping Computer found out here.
— Security Response (@msftsecresponse) September 23, 2019
Defender vulnerability CVE-2019-1255
Vulnerability CVE-2019-1255 addresses a Denial of Service vulnerability in Microsoft Defender. This vulnerability exists if Microsoft Defender handles files improperly. An attacker could exploit the vulnerability to prevent legitimate accounts from running legitimate system binaries.
To exploit the vulnerability, an attacker would first have to execute the exploit code on the affected system. Microsoft classifies the vulnerability as Important, but not as Critical. The security update fixes the vulnerability by ensuring that Microsoft Defender processes files properly. However, Microsoft does not yet provide any downloads to close the vulnerability. The following Microsoft security products are affected:
- Microsoft Forefront Endpoint Protection 2010
- Microsoft System Center Endpoint Protection
- Microsoft System Center 2012 Endpoint Protection
- Microsoft System Center 2012 R2 Endpoint Protection
- Microsoft Security Essentials
- Windows Defender
The security issue basically affects all supported Windows versions with the Microsoft Malware Protection Engine version 1.1.16300.1. The Microsoft Malware Protection Engine version 1.1.16400.2 addresses the vulnerability. The update should be performed automatically by the relevant Microsoft security products (however, the update does not appear to be ready yet).
Addendum: On Sept. 24, 2019 at about 8:00 a.m. (MEZ) a new update search under Windows 7 SP1 found the update KB2310138, which raised the module version of the antimalware engine to 1.1.16400.2 for the Microsoft Security Essentials. I assume that Windows 8.1 and Windows 10 and the other security products have also received this update.
How to find out the module versions is described in the blog post Defender Antimalware Version 4.18.1908.7 with sfc-Fix?
IE-Updates for Windows
Microsoft has also released a number of security updates for Internet Explorer. However, Microsoft does not explain why IE is vulnerable in the KB articles. This information can be found in CVE-2019-1367: This is a memory corruption vulnerability in IE’s scripting engine. This depends on how the scripting engine handles objects in memory in Internet Explorer. The vulnerability could damage memory to such an extent that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could obtain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs, view, modify, or delete data, or create new accounts with full user privileges. Microsoft has released the following security updates for the various versions of Windows 10 to close the Internet Explorer vulnerability.
- KB4522016: Windows 10 Version 1903, Windows Server Version 1903
- KB4522015: Windows 10 Version 1809, Windows Server Version 1809, Windows Server 2019
- KB4522014: Windows 10 Version 1803
- KB4522012: Windows 10 Version 1709
- KB4522011: Windows 10 Version 1703
- KB4522010: Windows 10 Version 1607, Windows Server 2016
- KB4522009: Windows 10 Version 1507
- KB4522007: Windows Server 2008 R2 SP1, Windows Server 2012 R2, Windows Server 2012, Windows 8.1, Windows 7 SP1 für den IE 9 – 10
According to KB articles, the security updates are only available for manual download in the Microsoft Update Catalog and must be installed manually. Bleeping Computer has compiled some more information here.