An update closes a critical hole in Internet Explorer – but it is not yet available through Windows Update. Also Windows Defender gets a patch.
Currently, attackers target users with Windows computers using Internet Explorer. If an attack is successful, the execution of malicious code is conceivable. A security patch is available but does not have Windows Update.
For a successful attack, attackers only have to lure victims onto a crafted website. The visit triggers the “critical” vulnerability (CVE-2019-1367) in the memory manager (Scripting Engine), which results in a memory corruption.
In addition, attackers could execute their own code on computers with the victim’s rights. If a victim has admin rights at the time of the attack, the attackers can take full control, Microsoft warns in a post.
Download the update manually
Affected by this are Internet Explorer 9, 10 and 11 in different versions of Windows. According to Microsoft, the update is not yet available through Windows Update at this time. Accordingly, you have to manually download and install it. Microsoft wants to distribute the security update only in October for Patchday over Windows Update.
If you can not install the patch right now, you should hedge your system with a workaround. How this works, Microsoft explains at the end of a contribution to the gap.
Another emergency update
Even Windows Defender gets a patch out of line. Vulnerability exploitation (CVE-2019-1255) can put the virus scanner in a DoS state. The update is considered important. For an attack to work, an attacker already needs access to a system, Microsoft says in a warning message. (of)