ALERT: Apply update to Microsoft Internet Explorer

Microsoft has released a rare out-of-band security update to address a critical vulnerability in Microsoft Internet Explorer (IE) that can allow for remote code execution. The update must be applied manually.

Microsoft has also released an out-of-band update to fix a bug in Microsoft Defender (the antivirus component of Microsoft Windows). The Defender update will be applied automatically; Defender is set for automatic updates by default.

If IE is used to visit a malicious website, the vulnerability could allow remote code execution as the currently logged-in user. The Windows Defender bug could prevent legitimate accounts from executing legitimate system binaries, but an attacker would first need access to a victim's system and the ability to execute code.

The IE vulnerability is being actively exploited in the wild.

Apply the IE updates provided by Microsoft as soon as possible after appropriate testing. Due to the active exploitation of the vulnerability as described in Microsoft's announcement, ITS Information Assurance recommends an expedited time frame of two to four weeks to apply the update to endpoints. The threat justifies an accelerated timeline for updating that is faster than the timelines specified in Vulnerability Management (DS-21).

See Microsoft's CVE pages for links to downloads:

• CVE-2019-1367
• CVE-2019-1255

CVE-2019-1367 is a memory corruption vulnerability in the way that Internet Explorer’s scripting engine handles objects in memory. Exploitation of this vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

• Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
• IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
• IA provides vulnerability management guidance to the university.

Internet Explorer on MiWorkspace machines and other university-managed machines will be updated as soon as possible after appropriate testing. If you have Internet Explorer on a personal computer, you will need to apply the update manually. It will not be installed through automatic updates.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

• CVE-2019-1367 | Scripting Engine Memory Corruption Vulnerability (Microsoft, 9/23/19)
• CVE-2019-1255 | Microsoft Defender Denial of Service Vulnerability (Microsoft, 9/23/19)
• Microsoft releases out-of-band security update to fix IE zero-day & Defender bug (ZDNet, 9/24/19)
• MITRE CVE-2019-1367
• MITRE CVE-2019-1255