CVE-2019-1367：严重级别的 Internet Explorer 内存损坏漏洞在通常环境中遭到利用

Zero-day memory corruption vulnerability in Internet Explorer has been observed in attacks in the wild

背景

On September 23, Microsoft released an out-of-band patch for a zero-day vulnerability in Internet Explorer that has been exploited in the wild.

分析

CVE-2019-1367 is a memory corruption vulnerability in Internet Explorer’s scripting engine in the way that objects in memory are handled. Exploitation of this vulnerability could result in the attacker gaining arbitrary code execution under the same privileges as the current user. In the event that the current user has administrative privileges, an attacker could perform various actions on the system, from creating a new account with full privileges to installing programs or even modifying data.

To exploit the vulnerability, an attacker would have to host the exploit on a malicious website and socially engineer a user into opening that website in Internet Explorer. In the case of a targeted attack, an attacker could include a link to the malicious website in an email or in a malicious email attachment (HTML file, PDF file, Microsoft Office document) that supports embedding the scripting engine content.

The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG). Earlier this year, Lecigne discovered and reported two zero-day vulnerabilities: a use-after-free vulnerability in Google Chrome (CVE-2019-5786) and an elevation of privilege vulnerability in Microsoft Windows (CVE-2019-0808) that were exploited together in the wild.

Additional details about the in-the-wild exploitation of this vulnerability have not yet been made public by Lecigne and Google’s TAG, though we anticipate such details will be disclosed in a blog post in the near future.

概念验证

At the time this blog was published, no proof-of-concept (PoC) was available.

解决方案

Microsoft released an out-of-band patch for this vulnerability due to the report that it has been exploited in the wild. Please refer to the Security Updates section for additional information on the IE Cumulative Update or relevant Security Updates.

Additionally, Microsoft has provided workarounds for both 32-bit and 64-bit systems by restricting access to the JScript.dll file. An administrator can do so by entering specific commands into the command prompt; the commands are available at the end of the security advisory page. However, these workarounds should only be used as a temporary measure until patching is feasible. Commands to revert the workarounds are also available on the Microsoft security advisory page linked above.

识别受影响的系统

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

获取更多信息

• Microsoft Security Advisory for CVE-2019-1367

加入 Tenable Community 中的 Tenable 安全响应团队

了解有关 Tenable 这款首创 Cyber Exposure 平台的更多信息，全面管理现代攻击面。

Get a free 60-day trial of Tenable.io Vulnerability Management.