Advisory Overview:
Microsoft has released an emergency patch for Internet Explorer (multiple versions) that fixes a critical vulnerability in that browser. By manipulating Internet Explorer via a specially-configured website, a threat actor can gain privileges equal to the user who is currently logged in – allowing them to install malware or perform other damaging operations. Users should immediately utilize standard Windows update methods (consult your IT Team or Managed Service Provider for details) and ensure that the patch is applied as quickly as possible.
Technical detail and additional information
What is the threat?
Multiple versions of Internet Explorer (IE) have a vulnerability that allows specially-crafted web pages to manipulate the object-handling components of the browser. Such manipulation can allow an attacker to gain elevated privileges up to and including all privileges that the currently logged-in user holds. Once these privileges are obtained, an attacker can remotely install additional software, establish persistence in the target network, and being seeking lateral attack vectors.
Why is this noteworthy?
Internet Explorer (IE) has suffered from waning popularity in recent years; however, using IE as an attack vector still makes this threat incredibly dangerous. IE is installed on every Windows desktop, laptop, server, and tablet; and is very difficult to remove. This means that every Windows device has at least the potential to fall victim to this threat. In many corporations, IE is the default browser on every Windows device; so even in cases where the users’ primary browser is Chrome, Firefox, or Opera; IE may still be opened when a user interacts with a link in an email. As many users also have local administrative privileges on their Windows devices, an attacker can use this vulnerability to gain local administrative control; posing significant and serious risk to both the individual device and the network it is connected to. If the victim has network- or domain-level administrative control, the compromise could endanger the entire organization.
What is the exposure or risk?
As every Windows device ships with Internet Explorer and has it as the default browser until changed by the user or by Group Policy, the attack surface for this threat is significant in both business and non-business settings. Many users may not know how to change the default browser away from IE or be prohibited to do so by Group Policy or Mobile Device Management systems. Therefore, all Windows devices should be considered at some level of risk for this threat and should be patched immediately.
What are the recommendations?
Microsoft has taken the unusual step of releasing and out-of-band patch to address this vulnerability. Out-of-band patches are emergency or critical patches addressing issues with such threat or disruption potential that it is not suggested that organizations wait until the next “Patch Tuesday” regular patching time frame to apply them. Organizations and individuals should use Windows Update (or the organizations patch management system) to apply this patch at the earliest possible convenience. SKOUT strongly recommends that users and businesses do not delay in the application of this patch, even if patching requires disruptions or downtimes to apply. Change control teams should expedite this patch wherever possible.
References:
For more in-depth information about the recommendations, please visit the following link:
- https://threatpost.com/microsoft-internet-explorer-zero-day-flaw-addressed-in-out-of-band-security-update/148584/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367
If you have any questions, please contact our Security Operations Center.
