Subscribe
  • Home
  • /
  • Malware
  • /
  • Zero-day vulnerability found in Internet Explorer

Zero-day vulnerability found in Internet Explorer

Staff Writer
By Staff Writer, ITWeb
Johannesburg, 13 Nov 2019

Endpoint protection solution provider Resecurity has discovered a critical zero-day vulnerability in the Jscript Garbage Collector mechanism within Internet Explorer, which enables attackers to execute arbitrary code. 

According to the Microsoft Security Reponse Center (MSRC), a remote code execution (RCE) vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, and could corrupt memory in such a way that a threat actor could execute arbitrary code in the context of the current user.

A cyber crook who successfully exploited the vulnerability could gain the same user rights as the current user. Should the current user be logged on with administrative user rights, the attacker could take control of an affected system, and would be able to install programs; view, change, or delete data; or create new accounts with full user rights.

In a Web-based attack scenario, a cyber criminal could host a Web site that is specifically tailored to exploit the vulnerability through Internet Explorer and then convince a user to view the site. Alternatively, they could embed an ActiveX control labeled "safe for initialisation" within an app or Office document that hosts the IE rendering engine and fool an unsuspecting user into opening it. In this last scenario, the user wouldn't even need to use Internet Explorer to become infected.

According to Resecurity, RCE vulnerabilities are actively used by threat actors to distribute malicious code. 

“From the date of reporting, the vulnerability had zero-day status, and cyber espionage groups and state actors are using it for targeted attacks and APT campaigns.”

The vulnerability was reported to Microsoft on 20 October by Resecurity’s R&D unit, called Hunter, which provided a detailed description of the vulnerability, along with proof-of-concept. 

Microsoft released a patch on 12 November, CVE-2019-1429 for all versions. 


Share