Ten days ago Microsoft released an out of band Cumulative Update for all supported versions of Windows 10 which addresses a new Remote Code Execution Internet Explorer vulnerability.

Then the update was only available via the Update Catalogue, but it appears Microsoft now has enough confidence in the patch to push it out to all versions of Windows.

Microsoft describes the serious bug as follows:

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

Microsoft also used the opportunity to push out another bug fix, this time to fix printer issues caused by an earlier patch for the same IE flaw.

“Addresses an intermittent issue with the print spooler service that may cause print jobs to fail. Some apps may close or generate errors, such as the remote procedure call (RPC) error,” notes the changelog.

The full changelog for KB4524147 reads:

This security update includes the Internet Explorer scripting engine security vulnerability (CVE-2019-1367) mitigation and corrects a recent printing issue some users have experienced.

Key changes include:

  • Addresses an intermittent issue with the print spooler service that may cause print jobs to fail. Some apps may close or generate errors, such as the remote procedure call (RPC) error.
  • Addresses an issue that may result in an error when you install Features On Demand (FOD), such as .Net 3.5. The error is, “The changes couldn’t be complete. Please reboot your computer and try again. Error code: 0x800f0950.”

Windows users can download the update by Checking for Updates in Settings or wait for it to be installed automatically.

Via ZDNet

Comments