Submitted via IRC for Bytram
Nine words to ruin your Monday: Emergency Internet Explorer patch amid in-the-wild attacks
Microsoft today issued a rare emergency security update for Internet Explorer to address a critical flaw in the browser that's being exploited right now in the wild.
Redmond says the vulnerability, a scripting-engine memory-corruption bug designated CVE-2019-1367, can be abused by a malicious webpage or email to achieved remote code execution: that means Windows PCs can be hijacked by viewing a suitably booby-trapped website, or message, when using Internet Explorer. Malware, spyware, and other software nasties can be injected to run on the computer, in that case.
Discovery of the flaw, and its exploitation in the wild by miscreants to commandeer systems, was attributed to Clément Lecigne of the Google Threat Analysis Group. The programming blunder is present in at least IE 9 to 11.
Such flaws are not uncommon, and Microsoft typically patches anywhere from 10-20 browser and scripting engine remote code execution each month with the Patch Tuesday bundle. Because they allow remote code execution with little or no user warning or interaction, Redmond considers such bugs to be critical security risks.
In this case, the severity of the flaw combined with the fact that vulnerability is being actively targeted has prompted Microsoft to break its normal patch cycle and release the update today, rather than wait until October 8 when the next Patch Tuesday drop is due to arrive.
[...] Microsoft also dropped a fix for a less-severe denial of service vulnerability in the Windows Defender security tool.
CVE-2019-1255 describes a file-handling error in Defender that will cause the security tool to generate a false positive when scanning an application. An attacker who already has access to the system could abuse the feature to make the tool block some applications.
"An attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries," Microsoft said.
(Score: 2) by NotSanguine on Tuesday September 24 2019, @04:34AM (4 children)
I think one word sums it up nicely: schadenfreude [wikipedia.org]
Not for the poor users getting pwned, but for the jackasses in Redmond who can't find their asses with both hands and a mirror.
I received the security update release notification today:
But since I don't use either steaming pile of garbage (Defender and Internet Explorer), I didn't care.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Tuesday September 24 2019, @07:56AM (1 child)
That was almost going to be my response, seeing as I normally use Linux these days, but then I remembered that I do have Defender installed on one of the laptops (long story short: It was the only AV software which 'played nice' with some bespoke crap installed on it), and then it the occurred to me that even though IE isn't used on any of the windows machines directly, at least one of the CAD packages uses it (or some part of it) indirectly...oh fuckstockings!
(Score: 0) by Anonymous Coward on Tuesday September 24 2019, @02:54PM
Yup. I'm forced to use Explorer because a website our company must use will not work on Edge. Not my choice, and no we can't use a different browser and no we can't choose to not go to that website.
(Score: 3, Informative) by zeigerpuppy on Tuesday September 24 2019, @08:02AM (1 child)
However, the main problem is using the steaming pile of excrement that is Windows. Not much reason to continue down that dead end these days.
(Score: 4, Funny) by DannyB on Tuesday September 24 2019, @02:01PM
Windows IS a steaming pile of bovine excrement. (And malware.)
Each Windows Update is a fresh topping of festering goat vomit. (And an attack upon your system.)
Mentioning these facts is not misusing any trademarks. I am not attempting to create any confusion in the market. I want it to be perfectly and unmistakably clear which company and product I am expressing an opinion about. And it is nothing more than an opinion.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.