itb-nz logo
Story image

Microsoft IE vulnerability to go unpatched until mid-Feb

28 Jan 2020

Microsoft has released a security advisory alerting users to an as-yet unpatched vulnerability in its Internet Explorer (IE) web browser that is being exploited in limited targeted attacks.

According to a recent blog post by ESET security writer Tomáš Foltýn, the issue “is a memory corruption issue in the browser’s scripting engine. Its exploitation could enable remote attackers to run code of their choice on the compromised system.”

“The vulnerability can be exploited by attackers who lure you to visit a malicious website via the browser, typically by sending an email. It could ultimately enable crooks to install programs, tamper with data or set up new accounts with full user rights on the affected system.”

This is described as a ‘zero-day’ vulnerability, meaning one that a software vendor is aware of, but has not yet released a patch or fix for.

Microsoft plans to roll out a fix in the next scheduled patch on February 11.

Microsoft has released a security advisory on the vulnerability, stating “Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.”

Foltýn points out that “The risk of exploitation is lower on Windows Server, where Internet Explorer is, by default, locked down to protect against browser-based attacks.”

“This restricted mode, called Enhanced Security Configuration, “can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server”, says Microsoft.”

Microsoft recently launched its new Chromium-based Edge browser which is intended to replace Explorer as a day-to-day browser. 

However, with the popularity and adaptability of Chrome and the security and privacy features of Firefox, if IT teams have not yet found a way to move their company away from Microsoft’s browsers, it may be time for them to look into it.

The vulnerability has been designated with the tracking code CVE-2020-0674.

If most of this sounds familiar, it is for good reason. As recently as September and November 2019, respectively, the company disclosed two other zero-days in the browser.

Foltýn points out that this is the third in five months that vulnerabilities have been found in Explorer’s code, with two more being revealed in September and December of last year. 

Story image
Accenture invests US$3 billion into cloud migration initiative
Accenture Cloud First is a new multi-service group of 70,000 cloud professionals that brings together Accenture’s industry, technology capabilities and ecosystem partnerships.More
Link image
You’re invited to the future of work: A pandemic spotlight
The time for hyperautomation is now. With experimentation and exploration, you can take an automation mindset & create a future-ready workforce today. Learn how on 29 September from 11.30am AEST. Register now.More
Story image
Blue Prism extends human-to-digital worker collaboration with new Interact capability
Blue Prism Interact is a human-to-digital worker collaboration capability that enables employees to team up with digital workers to initiate, instruct, verify, receive, and authorise a variety of business processes through the digital workforce.More
Story image
InternetNZ urges political parties to commit to digital inclusion action plan
The five point plan sets out the priority areas where InternetNZ says Government can best direct its efforts and investments to improve digital inclusion in New Zealand.More
Download image
Network functions virtualisation: What is is, how to use it, and why it matters
Network functions virtualisation (NFV) is fast becoming the go-to method of simplifying corporate networks from planning, through deployment and management.More
Story image
Oracle recognised in Forrester A/NZ Cloud report
Named a ‘Strong Performer’ in the Public Cloud Development and Infrastructure Platforms, Australia/New Zealand Forrester Wave.More