There's good news and bad news. The good news is that Microsoft patched an Internet Explorer security vulnerability that enabled remote code execution on Monday. The bad news is that the company released this patch via a cumulative update to Windows 10, and saying its track record with those updates has been hit-or-miss lately would be an understatement, given the many problems Windows users have reported over the last few weeks.
Let's talk about the vulnerability first. It was assigned the identifier of CVE-2019-1367 and, according to Microsoft, was patched before it was publicly disclosed. (Although it has been exploited, according to the company.) Internet Explorer versions 9-11 were affected on Windows 7, 8.1 and 10 as well as several versions of Windows Server. Microsoft said there were no mitigations or workarounds capable of handling the flaw without this update.
Here's what the company said about the vulnerability itself:
"A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
Microsoft said that someone could set up a website designed to exploit this vulnerability whenever someone using Internet Explorer viewed it. As easy as it would be to say that anyone still using Internet Explorer is practically asking for trouble, the reality is that many people still rely on the browser, and people who aren't tech savvy enough to use a modern browser would be particularly vulnerable to attacks like the one Microsoft described.
This update "addresses the vulnerability by modifying how the scripting engine handles objects in memory," Microsoft said, but it didn't offer any specifics. There don't appear to be any other changes in the KB4522016 cumulative update released yesterday; problems affecting certain Input Method Editors as well as Windows audio remain in the "known issues" section of the company's support article about the release.
