Microsoft has published a pair of rare security updates off its normal update cycle. The two patches are to fix serious security flaws in Microsoft Defender and Internet Explorer. The updates are rare because they are off Microsoft's steadfast schedule of releasing major security updates on the second Tuesday of every month.
Typically, the only time that Microsoft goes off that schedule is when the patches are for critical security updates. One of the updates is for an Internet Explorer (IE) to patch a zero-day that has been exploited in the wild. This patch is a manual update, and the details of the zero-day exploit are unclear at this time. The zero-day attacks were reported to Microsoft by a member of the Google Threat Analysis Group.
This group is key in helping to find and defend against attacks online and is the same team that detected an iOS zero-day attack against the Chinese Uyghur community. Researchers call the vulnerability a remote code execution (RCE) issue. Microsoft said that the vulnerability could corrupt memory in a way that would allow an attacker to execute arbitrary code on the current user. A successful attack would give the attacker the same rights to the machine the current user has. This zero-day is tracked with CVE-2019-1367 identifier.
The second update is for a Microsoft Defender DoS bug. Microsoft says that an attacker could exploit the vulnerability to prevent a legitimate account from executing legitimate system binaries. While the attack sounds severe, Microsoft notes that to exploit this bug would require the hacker to have access to a victim machine and the ability to execute code. Microsoft released update ver 1.1.16400.2 for the Malware Protection Engine as a silent update to fix the issue. Microsoft patched another Defender bug earlier this week that caused file scans to fail.