Zero-day flaws in Internet Explorer and Exchange patched by Microsoft

Exploit code is known to be in circulation for both vulnerabilities

Two zero-day flaws affecting Internet Explorer and Exchange have been fixed by Microsoft as part of its weekly 'Patch Tuesday' update rollout. Both vulnerabilities were known to have exploit code in circulation.

One of the patches addressed an "important" privilege elevation flaw in Microsoft Exchange Server that could be used to gain administrative control over an Exchange server via a relatively straightforward man-in-the-middle attack. It was first revealed last month by security researchers, with proof-of-concept exploit code to accompany it.

Advertisement - Article continues below

Patches have been issued for Exchange Server 2010, 2013, 2016 and 2019. Microsoft's advisory warned that the vulnerability - which is designated as CVE-2019-0686 - warned that although no active exploits had been detected in the wild, exploits were likely.

The second issue relates to Internet Explorer and the way it handles objects in memory. Unlike the Exchange flaw, this vulnerability was not disclosed but was discovered by Google's Project Zero researchers being actively exploited in the wild.

"An attacker who successfully exploited this vulnerability could test for the presence of files on disk," Microsoft's advisory warned. "For an attack to be successful, an attacker must persuade a user to open a malicious website."

The flaw - CVE-2019-0676 - affects Internet Explorer versions 10 and 11 on all supported platforms, including Windows Server 2012, 2016 and 2019.

Advertisement
Advertisement - Article continues below

Along with these issues, this week's Patch Tuesday saw fixes for products including Edge, Windows, .NET Framework, Visual Studio Code and the ever-updated Adobe Flash Player.

IT administrators should take note of the patches and work to apply them as the vulnerabilities are now out in the public's eye and thus potentially ripe for hackers to exploite them if they aren't fixed. 

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/security/phishing/355810/zloader-malware-returns-as-a-coronavirus-phishing-scam
phishing

ZLoader malware returns as a coronavirus phishing scam

27 May 2020
Visit/security/hacking/355806/anarchygrabber-hack-steals-discord-tokens-ids-and-passwords
hacking

AnarchyGrabber hack steals Discord tokens, IDs and passwords

27 May 2020
Visit/security/hacking/355801/scammers-using-coronavirus-contact-tracing-in-hacking-attempt
hacking

Scammers leverage contact-tracing in hacking attempt

27 May 2020

Most Popular

Visit/infrastructure/server-storage/355785/dell-emc-poweredge-r7525-review-an-epyc-core-density-to-make
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Visit/infrastructure/network-internet/355792/intel-releases-wi-fi-and-bluetooth-driver-updates-for
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020
Visit/operating-systems/microsoft-windows/355781/microsoft-confirms-further-issues-with-troublesome
Microsoft Windows

Microsoft's latest Windows 10 update is causing yet more issues

26 May 2020