Zero-day flaws in Internet Explorer and Exchange patched by Microsoft

Exploit code is known to be in circulation for both vulnerabilities

Two zero-day flaws affecting Internet Explorer and Exchange have been fixed by Microsoft as part of its weekly 'Patch Tuesday' update rollout. Both vulnerabilities were known to have exploit code in circulation.

One of the patches addressed an "important" privilege elevation flaw in Microsoft Exchange Server that could be used to gain administrative control over an Exchange server via a relatively straightforward man-in-the-middle attack. It was first revealed last month by security researchers, with proof-of-concept exploit code to accompany it.

Patches have been issued for Exchange Server 2010, 2013, 2016 and 2019. Microsoft's advisory warned that the vulnerability - which is designated as CVE-2019-0686 - warned that although no active exploits had been detected in the wild, exploits were likely.

The second issue relates to Internet Explorer and the way it handles objects in memory. Unlike the Exchange flaw, this vulnerability was not disclosed but was discovered by Google's Project Zero researchers being actively exploited in the wild.

"An attacker who successfully exploited this vulnerability could test for the presence of files on disk," Microsoft's advisory warned. "For an attack to be successful, an attacker must persuade a user to open a malicious website."

The flaw - CVE-2019-0676 - affects Internet Explorer versions 10 and 11 on all supported platforms, including Windows Server 2012, 2016 and 2019.

Along with these issues, this week's Patch Tuesday saw fixes for products including Edge, Windows, .NET Framework, Visual Studio Code and the ever-updated Adobe Flash Player.

IT administrators should take note of the patches and work to apply them as the vulnerabilities are now out in the public's eye and thus potentially ripe for hackers to exploite them if they aren't fixed. 

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Global ransom DDoS extortionists are retargeting companies
distributed denial of service (DDOS)

Global ransom DDoS extortionists are retargeting companies

22 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Gmail vs Outlook.com: Which one is better?
email providers

Gmail vs Outlook.com: Which one is better?

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021

Most Popular

School laptops sent by government arrive loaded with malware
malware

School laptops sent by government arrive loaded with malware

21 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021