- The IE zero-day flaw could grant full access to victims’ computers.
- Internet Explorer 9, 10, 11 affected.
- The zero-day flaw was discovered by Google’s Threat Analysis Group.
The Internet Explorer zero-day flaw allowed attackers to take control of victims’ computers by executing code remotely when users visit malicious websites. It was identified by Clément Lecigne who is a part of Google’s Threat Analysis Group – the same group had earlier identified and reported an advanced Chinese iPhone malware campaign.
Attacker could gain full control
Explaining the flaw, Microsoft noted that attackers could end up gaining administrator rights if the affected user is an administrator. The attacker could install new programs, add, modify or delete data, or even create new user accounts with full rights.
“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could run arbitrary code in the context of the current user. The security update addresses the vulnerability by changing how the scripting engine handles objects in memory,” the CVE page revealed.
Although Microsoft has been advising Windows users to switch Edge, Internet Explorer is still used by a sizable number of users. According to the latest report by StatCounter, Internet Explorer has a 4.4% market share globally, just a shade lower than Edge’s 4.71% share.
Windows Defender also gets a security fix
Apart from the fix for Internet Explorer, Microsoft has also issued a patch for Windows Defender Denial of Service vulnerability. Initially reported by Charalampos Billinis from F-Secure Countercept and Wenxu Wu from Tencent Security Xuanwu Lab, this vulnerability is not as serious as the Internet Explorer zero-day. Microsoft says that this vulnerability does not seem to have been exploited as of now.