ALERT: Apply update to Microsoft Internet Explorer
Tuesday, September 24, 2019
This information was sent to U-M IT staff groups through email on September 24, 2019. It is intended for U-M IT staff who are responsible for university computers with Microsoft Internet Explorer or Microsoft Defender. Any Windows user may be interested.
Microsoft has released a rare out-of-band security update to address a critical vulnerability in Microsoft Internet Explorer (IE) that can allow for remote code execution. The update must be applied manually.
Microsoft has also released an out-of-band update to fix a bug in Microsoft Defender (the antivirus component of Microsoft Windows). The Defender update will be applied automatically; Defender is set for automatic updates by default.
If IE is used to visit a malicious website, the vulnerability could allow remote code execution as the currently logged-in user. The Windows Defender bug could prevent legitimate accounts from executing legitimate system binaries, but an attacker would first need access to a victim's system and the ability to execute code.
The IE vulnerability is being actively exploited in the wild.
- Internet Explorer 9, 10, 11
- Microsoft Forefront Endpoint Protection 2010
- Microsoft Security Essentials
- Microsoft System Center 2012 Endpoint Protection
- Microsoft System Center 2012 R2 Endpoint Protection
- Microsoft System Center Endpoint Protection
- Microsoft Defender
Apply the IE updates provided by Microsoft as soon as possible after appropriate testing. Due to the active exploitation of the vulnerability as described in Microsoft's announcement, ITS Information Assurance recommends an expedited time frame of two to four weeks to apply the update to endpoints. The threat justifies an accelerated timeline for updating that is faster than the timelines specified in Vulnerability Management (DS-21).
See Microsoft's CVE pages for links to downloads:
CVE-2019-1367 is a memory corruption vulnerability in the way that Internet Explorer’s scripting engine handles objects in memory. Exploitation of this vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
How We Protect U-M
- Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
- IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
- IA provides vulnerability management guidance to the university.
Information for Users
Internet Explorer on MiWorkspace machines and other university-managed machines will be updated as soon as possible after appropriate testing. If you have Internet Explorer on a personal computer, you will need to apply the update manually. It will not be installed through automatic updates.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
- CVE-2019-1367 | Scripting Engine Memory Corruption Vulnerability (Microsoft, 9/23/19)
- CVE-2019-1255 | Microsoft Defender Denial of Service Vulnerability (Microsoft, 9/23/19)
- Microsoft releases out-of-band security update to fix IE zero-day & Defender bug (ZDNet, 9/24/19)
- MITRE CVE-2019-1367
- MITRE CVE-2019-1255