Microsoft Issues Security Advisories for IE and Microsoft Defender

Microsoft on Monday released two "out-of-band" security advisories, one for its Internet Explorer (IE) browsers and another regarding its Microsoft Defender antimalware solution.

The IE vulnerability (CVE-2019-1367) is a remote code execution flaw that's rated "Critical" and "Moderate." This vulnerability has been exploited, although the exploit code isn't public.

The IE vulnerability stems from how the browser's scripting engine handles objects in memory. The flaw permits an attacker to "execute code in the context of the current user," including system administrators if that's the case. It's present in IE 11 on Windows 10 and Windows Server 2019, IE 10 on Windows Server 2012, and IE 9 on Windows Server 2008 Service Pack 2.

There's no patch for the IE vulnerabilities until October. Update 9/25: Microsoft's Message Center page includes new information that optional Windows 10 updates released on September 24 and September 26 through Windows Update and the Microsoft Update Catalog contain a "mitgation for this vulnerability" in IE's memory handling. The Message Center post also explains a little why Microsoft didn't just push down a patch in the first place as it will require a system reboot to take effect.

Microsoft's security bulletin offered "mitigations" to run that will restrict access to the JScript Dynamic Link Library, although the mitigations "might result in reduced functionality" for some components. The one exception is use of JScript9.dll, which isn't affected. Windows Server Update Service users will need to "manually download this update from Microsoft Update Catalog to deploy" it, according to the advisory. More such details are described in this IE cumulative update article.

The other security advisory is about a vulnerability in Microsoft Defender (CVE-2019-1255), which could lead to denial of service. It's rated "Important," but the vulnerability hasn't been exploited or published yet.

No action is required to address the Microsoft Defender vulnerability, as Microsoft will simply update its antimalware definitions, as well as the Microsoft Malware Protection Engine.

The Microsoft Malware Protection Engine is considered to be patched if it's at version 1.1.16400.2, Microsoft's advisory indicated. Microsoft updates the antimalware definitions and the engine once a month, or as needed. IT pros should verify the engine's version number and ensure that "their update management software is configured to automatically approve and distribute engine updates and new malware definitions," the advisory indicated.

The advisories, which fell out of Microsoft's usual "update Tuesday" security bulletin release cycle, were noted in this National Cyber Awareness System post.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Office Mobile Apps To End as Microsoft Highlights New Office App

    Microsoft plans to end support for Windows 10 Mobile applications on Jan. 12, 2021, according to a Friday announcement.

  • Is Microsoft Finally Reinventing Office?

    Microsoft is testing out a new technology called "Fluid Framework." It could mean that Brien's dream of one Office app to rule them all might soon become reality.

  • Azure Active Directory Connect Preview Adds Support for Disconnected AD Forests

    Microsoft on Thursday announced a preview of a new "Cloud Provisioning" feature for the Azure Active Directory Connect service that promises to bring together scattered Active Directory "forests."

  • Microsoft Defender ATP Gets macOS Investigation Support

    The endpoint and detection response (EDR) feature in Microsoft Defender Advanced Threat Protection (ATP) has reached the "general availability" stage for macOS devices.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.