What just happened? Microsoft’s Internet Explorer has only a small percentage of the desktop browser market, but plenty of people still use it. Those that do should update the program without delay after Microsoft issued an out-of-band security update that fixes a critical vulnerability.
Yesterday, Microsoft published CVE-2019-1367, a remote code execution vulnerability that exists in the way that the scripting engine handles objects in memory in Internet Explorer.
The vulnerability, discovered by Clément Lecigne of Google’s Project Zero Threat Analysis Group, is present in every version of Internet Explorer for Windows 7, 8.1, and 10. Microsoft writes that “The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.”
What's especially concerning is if a target is logged in with administrative rights. This would allow an attacker exploiting the vulnerability to take control of an affected system, allowing them to “install programs; view, change, or delete data; or create new accounts with full user rights.”
Attackers could create a specially crafted website that exploits the vulnerability through Internet Explorer. They might then convince someone to view the website by sending them a link in an email, for example.
Microsoft said the vulnerability is being actively exploited in the wild, so updating IE or moving to another browser is strongly advised.
Google’s Project Zero made headlines recently after it discovered a collection of hacked websites were used to infect thousands of iPhones with malicious software. It was later revealed that the sites also targeted Google and Windows users, and the campaign may have been a way for China to spy on Uighur Muslims.