Microsoft releases out-of-band patches for IE, Defender zero-days

Microsoft has released a out-of-band emergency security patch to resolve two actively-exploited zero-day vulnerabilities in its Internet Explorer and Microsoft Defender software packages.

While Microsoft has traditionally released updates for its products on Patch Tuesday, the first Tuesday of a given month, critical vulnerabilities force its hand into releasing out-of-band updates on an ad-hoc schedule. Such is the case for a pair of zero-day vulnerabilities in the company's Internet Explorer and Microsoft Defender products, the most serious of which allows for arbitrary code execution simply by the user visiting a malicious website.

Released late last night, an out-of-band patch for Internet Explorer - Microsoft's last-last-generation web browser, which was replaced in Windows 10 with Microsoft Edge only for Edge itself to be replaced with a Chromium-based browser bearing the Edge name - addresses a memory corruption vulnerability under active exploitation. 'A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer,' the company explains in its security advisory. 'The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

'An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.'

The patch is joined by a second for a thankfully less-serious flaw in the company's Microsoft Defender product family, ironically designed to check for security issues including viruses and other malware and alert the user. While this vulnerability doesn't include the ability to execute arbitrary code, it does allow an attacker to execute a local denial of service (DoS) attack on an affected system - and with the Defender engine driving everything from the free Microsoft Security Essentials and Windows Defender products to the Forefront and Endpoint Protection families, that's not an ideal scenario.

More information on the Internet Explorer and Microsoft Defender vulnerabilities are available on their respective security notification pages; the patches, meanwhile, are installable through Windows Update now.