Windows: Vulnerabilities in IE and Defender (09/23/2019)

Windows Update[German]On September 23, 2019, Microsoft unexpectedly released unscheduled security updates for Windows Defender, Microsoft Security Essentials, other security products, and Internet Explorer, which is expected to close vulnerabilities.


Advertising

The information about the vulnerability was provided via Twitter, as Bleeping Computer found out here.

Addendum: Meanwhile I also received a mail from Microsoft with information about CVE-2019-1367  and  CVE-2019-1255. Below I explain which updates are available.

Defender vulnerability CVE-2019-1255

Vulnerability CVE-2019-1255 addresses a Denial of Service vulnerability in Microsoft Defender. This vulnerability exists if Microsoft Defender handles files improperly. An attacker could exploit the vulnerability to prevent legitimate accounts from running legitimate system binaries.

To exploit the vulnerability, an attacker would first have to execute the exploit code on the affected system. Microsoft classifies the vulnerability as Important, but not as Critical. The security update fixes the vulnerability by ensuring that Microsoft Defender processes files properly. However, Microsoft does not yet provide any downloads to close the vulnerability. The following Microsoft security products are affected:


Advertising

  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft System Center Endpoint Protection
  • Microsoft System Center 2012 Endpoint Protection
  • Microsoft System Center 2012 R2 Endpoint Protection
  • Microsoft Security Essentials
  • Windows Defender

The security issue basically affects all supported Windows versions with the Microsoft Malware Protection Engine version 1.1.16300.1. The Microsoft Malware Protection Engine version 1.1.16400.2 addresses the vulnerability. The update should be performed automatically by the relevant Microsoft security products (however, the update does not appear to be ready yet).

Addendum: On Sept. 24, 2019 at about 8:00 a.m. (MEZ) a new update search under Windows 7 SP1 found the update KB2310138, which raised the module version of the antimalware engine to 1.1.16400.2 for the Microsoft Security Essentials. I assume that Windows 8.1 and Windows 10 and the other security products have also received this update.

How to find out the module versions is described in the blog post Defender Antimalware Version 4.18.1908.7 with sfc-Fix?

IE-Updates for Windows

Microsoft has also released a number of security updates for Internet Explorer. However, Microsoft does not explain why IE is vulnerable in the KB articles. This information can be found in CVE-2019-1367: This is a memory corruption vulnerability in IE’s scripting engine. This depends on how the scripting engine handles objects in memory in Internet Explorer. The vulnerability could damage memory to such an extent that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could obtain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs, view, modify, or delete data, or create new accounts with full user privileges. Microsoft has released the following security updates for the various versions of Windows 10 to close the Internet Explorer vulnerability.

  • KB4522016: Windows 10 Version 1903, Windows Server Version 1903
  • KB4522015:  Windows 10 Version 1809, Windows Server Version 1809, Windows Server 2019
  • KB4522014: Windows 10 Version 1803
  • KB4522012: Windows 10 Version 1709
  • KB4522011: Windows 10 Version 1703
  • KB4522010: Windows 10 Version 1607, Windows Server 2016
  • KB4522009: Windows 10 Version 1507
  • KB4522007: Windows Server 2008 R2 SP1, Windows Server 2012 R2, Windows Server 2012, Windows 8.1, Windows 7 SP1 für den IE 9 – 10

According to KB articles, the security updates are only available for manual download in the Microsoft Update Catalog and must be installed manually. Bleeping Computer has compiled some more information here.

Similar articles:
Defender Antimalware Version 4.18.1908.7 with sfc-Fix?
Scan issues with MSD/Defender Antimalware version 4.18.1908.7


Advertising


This entry was posted in browser, Security, Update, Windows and tagged , , , . Bookmark the permalink.

1 Response to Windows: Vulnerabilities in IE and Defender (09/23/2019)

  1. EP says:

    guenni

    even NEWER updates for Win10 from versions 1607 to 1809 are now available Tue. Sept. 24, along with new preview rollups for windows 7 & 8.1. and these brand new patches are available thru windows update & the ms update catalog site.

    so the previous patches that fix the recent IE security flaws are pretty much a moot point now.

Leave a Reply to EP Cancel reply

Your email address will not be published. Required fields are marked *