sb-nz logo
Story image

Microsoft IE vulnerability to go unpatched until mid-Feb

28 Jan 2020

Microsoft has released a security advisory alerting users to an as-yet unpatched vulnerability in its Internet Explorer (IE) web browser that is being exploited in limited targeted attacks.

According to a recent blog post by ESET security writer Tomáš Foltýn, the issue “is a memory corruption issue in the browser’s scripting engine. Its exploitation could enable remote attackers to run code of their choice on the compromised system.”

“The vulnerability can be exploited by attackers who lure you to visit a malicious website via the browser, typically by sending an email. It could ultimately enable crooks to install programs, tamper with data or set up new accounts with full user rights on the affected system.”

This is described as a ‘zero-day’ vulnerability, meaning one that a software vendor is aware of, but has not yet released a patch or fix for.

Microsoft plans to roll out a fix in the next scheduled patch on February 11.

Microsoft has released a security advisory on the vulnerability, stating “Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.”

Foltýn points out that “The risk of exploitation is lower on Windows Server, where Internet Explorer is, by default, locked down to protect against browser-based attacks.”

“This restricted mode, called Enhanced Security Configuration, “can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server”, says Microsoft.”

Microsoft recently launched its new Chromium-based Edge browser which is intended to replace Explorer as a day-to-day browser. 

However, with the popularity and adaptability of Chrome and the security and privacy features of Firefox, if IT teams have not yet found a way to move their company away from Microsoft’s browsers, it may be time for them to look into it.

The vulnerability has been designated with the tracking code CVE-2020-0674.

If most of this sounds familiar, it is for good reason. As recently as September and November 2019, respectively, the company disclosed two other zero-days in the browser.

Foltýn points out that this is the third in five months that vulnerabilities have been found in Explorer’s code, with two more being revealed in September and December of last year. 

Story image
AvePoint brings Salesforce Cloud Backup to channel partners
The product adds to the AvePoint suite of trusted Cloud Backup for Microsoft 365 and Dynamics 365 to provide managed service providers with backup and restore capabilities across multiple, popular SaaS providers.More
Story image
Combine endpoint privilege management with these tools for maximum protection
By integrating an EPM solution with additional technologies, teams can manage the entire security tool stack more easily and enhance each component’s effectiveness.More
Story image
ThreatQuotient hits $22.5m in new financing, continues growth streak
“Since we first invested in ThreatQuotient in 2017, their team has continued to prove to the market that there is a critical need for cybersecurity solutions aimed at security operations."More
Story image
O365 a weak point ripe for exploit, say security professionals
71% of more than 1,000 security professionals have been on the receiving end of a Microsoft 365 account takeover, on average, seven times in the last year alone.More
Story image
IT leaders prioritising automation, Zero Trust and API-based security investments
"The study shows that a cocktail of multiplying threats, the proliferation of hybrid and cloud architectures, blended with a pandemic-fuelled explosion in distributed and remote work has created a perfect storm for network security teams."More
Story image
Fujitsu, Trend Micro team up to secure private 5G
"We believe that this security solution represents a key technology for applying private 5G to mission-critical areas."More