Microsoft IE vulnerability to go unpatched until mid-Feb
Microsoft has released a security advisory alerting users to an as-yet unpatched vulnerability in its Internet Explorer (IE) web browser that is being exploited in limited targeted attacks.
According to a recent blog post by ESET security writer Tomáš Foltýn, the issue “is a memory corruption issue in the browser’s scripting engine. Its exploitation could enable remote attackers to run code of their choice on the compromised system.”
“The vulnerability can be exploited by attackers who lure you to visit a malicious website via the browser, typically by sending an email. It could ultimately enable crooks to install programs, tamper with data or set up new accounts with full user rights on the affected system.”
This is described as a ‘zero-day’ vulnerability, meaning one that a software vendor is aware of, but has not yet released a patch or fix for.
Microsoft plans to roll out a fix in the next scheduled patch on February 11.
Microsoft has released a security advisory on the vulnerability, stating “Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.”
Foltýn points out that “The risk of exploitation is lower on Windows Server, where Internet Explorer is, by default, locked down to protect against browser-based attacks.”
“This restricted mode, called Enhanced Security Configuration, “can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server”, says Microsoft.”
Microsoft recently launched its new Chromium-based Edge browser which is intended to replace Explorer as a day-to-day browser.
However, with the popularity and adaptability of Chrome and the security and privacy features of Firefox, if IT teams have not yet found a way to move their company away from Microsoft’s browsers, it may be time for them to look into it.
The vulnerability has been designated with the tracking code CVE-2020-0674.
If most of this sounds familiar, it is for good reason. As recently as September and November 2019, respectively, the company disclosed two other zero-days in the browser.
Foltýn points out that this is the third in five months that vulnerabilities have been found in Explorer’s code, with two more being revealed in September and December of last year.