sb-eu logo
Story image

Microsoft IE vulnerability to go unpatched until mid-Feb

28 Jan 2020

Microsoft has released a security advisory alerting users to an as-yet unpatched vulnerability in its Internet Explorer (IE) web browser that is being exploited in limited targeted attacks.

According to a recent blog post by ESET security writer Tomáš Foltýn, the issue “is a memory corruption issue in the browser’s scripting engine. Its exploitation could enable remote attackers to run code of their choice on the compromised system.”

“The vulnerability can be exploited by attackers who lure you to visit a malicious website via the browser, typically by sending an email. It could ultimately enable crooks to install programs, tamper with data or set up new accounts with full user rights on the affected system.”

This is described as a ‘zero-day’ vulnerability, meaning one that a software vendor is aware of, but has not yet released a patch or fix for.

Microsoft plans to roll out a fix in the next scheduled patch on February 11.

Microsoft has released a security advisory on the vulnerability, stating “Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.”

Foltýn points out that “The risk of exploitation is lower on Windows Server, where Internet Explorer is, by default, locked down to protect against browser-based attacks.”

“This restricted mode, called Enhanced Security Configuration, “can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server”, says Microsoft.”

Microsoft recently launched its new Chromium-based Edge browser which is intended to replace Explorer as a day-to-day browser. 

However, with the popularity and adaptability of Chrome and the security and privacy features of Firefox, if IT teams have not yet found a way to move their company away from Microsoft’s browsers, it may be time for them to look into it.

The vulnerability has been designated with the tracking code CVE-2020-0674.

If most of this sounds familiar, it is for good reason. As recently as September and November 2019, respectively, the company disclosed two other zero-days in the browser.

Foltýn points out that this is the third in five months that vulnerabilities have been found in Explorer’s code, with two more being revealed in September and December of last year. 

Story image
One in three ransomware attacks target business users
Ransomware has become a big challenge for many organisations, despite the attack method not being the most advanced threat.More
Story image
Dark web packed with offers to hack corporate networks
"The larger the hacked company is, and the higher the obtained privileges, the more profitable the attack becomes."More
Story image
How DDoS protection is like a car’s airbags
Just as someone would never remove the airbags from their car simply because they have never had a serious accident, so they should not cut back on cyber defences just because they hadn’t had a major attack in a while.More
Story image
VMware reveals plans to acquire Octarine, going all in for Kubernetes
VMware says once the acquisition is completed, Octarine’s integration will provide new security features for containerized applications running in Kubernetes, and will enable security capabilities as part of the fabric of the existing IT and DevOps ecosystems.More
Story image
Rise in cyberattacks targeting the cloud as use of collaboration tools increase
“While we are seeing a tremendous amount of courage and global goodwill to overcome the COVID-19 pandemic, we also are unfortunately seeing an increase in bad actors looking to exploit the sudden uptick in cloud adoption."More
Story image
Current security practices 'grossly inadequate' for protecting cloud infrastructures - report
"As cloud stacks become increasingly complex, with new technologies regularly added to the mix, what's needed is a holistic approach with consistent protection across the full cloud stack."More