Microsoft released an out-of-band update yesterday that fixes two critical vulnerabilities – The Internet Explorer remote code execution vulnerability (CVE-2019-1367) and Microsoft Defender Denial of Service Vulnerability (CVE-2019-1255).
According to the Microsoft advisory CVE-2019-1367, the Internet Explorer scripting engine vulnerability has been exploited in active attacks in the wild. Users are advised to manually update their systems immediately.
CVE Details
CVE-2019-1367: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could run arbitrary code in the context of the current user.An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.
CVE-2019-1255: A denial of service vulnerability exists when Microsoft Defender improperly handles files. An attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries. To exploit the vulnerability, an attacker would first require execution on the victim system. The security update addresses the vulnerability by ensuring Microsoft Defender properly handles files.
Detecting CVE-2019-1255 and CVE-2019-1367
The best method for identifying vulnerable hosts is through the Qualys Cloud Agent or via Qualys authenticated scanning. Qualys has issued QIDs 91577 and 100388 for Qualys Vulnerability Management that covers CVE-2019-1255 and CVE-2019-1367 respectively. These QIDs are included in signature version VULNSIGS-2.4.708-2.
You can search for this within the VM Dashboard by using the following QQL query:
vulnerabilities.vulnerability:(qid:91577 OR qid:100388)
Workaround: Restrict Access to JScript.dll
Microsoft has listed workarounds for CVE-2019-1367 to protect systems, if the patch cannot be applied right away:
For 32-bit systems, enter the following command at an administrative command prompt:
takeown /f %windir%\system32\jscript.dll
cacls %windir%\system32\jscript.dll /E /P everyone:N
For 64-bit systems, enter the following command at an administrative command prompt:
takeown /f %windir%\syswow64\jscript.dll
cacls %windir%\syswow64\jscript.dll /E /P everyone:N
takeown /f %windir%\system32\jscript.dll
cacls %windir%\system32\jscript.dll /E /P everyone:N
Resources
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1255
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367