On Monday Microsoft and Adobe patched two and three vulnerabilities respectively, classified as critical, in their respective systems.

Software giant Microsoft fixed two flaws, including an Internet Explorer zero-day and a denial-of-service (DoS) vulnerability, impacting Microsoft Defender.

Tracked as CVE-2019-1367, the Internet Explorer zero-day has been defined as a memory corruption problem that enables remote code implementation. The security hole impacts Internet Explorer 9, 10 and 11, with the software giant saying it’s well aware of misuse efforts against both newer and older versions.

Microsoft said: “The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.”

To be able to exploit this susceptibility, an attacker should persuade the besieged user to visit a spiteful website using a weak version of Internet Explorer.

The second security update fixes a DoS susceptibility in Microsoft Defender. Tracked as CVE-2019-1255, the flaw enables an attacker with access to the targeted system to “prevent legitimate accounts from executing legitimate system binaries.”

On the other hand, Adobe issued ppdates for its ColdFusion web application development platform that highlights three flaws, including two that have been recognized as “critical.”

ColdFusion 2016 Update 12 and ColdFusion 2018 Update 5 patch a serious path traversal susceptibility that can be misued to evade access controls (CVE-2019-8074), and a critical command injection fault that can be leveraged for random code implementation (CVE-2019-8073).

Described by Adobe as a security bypass that can result in information revelation, the last security hole was assigned an “important” severity score.

Adobe says it doesn’t know of any attacks abusing these flaws and the company thinks they are not likely to be misused in the near future. Nevertheless, users should not disregard the updates in view of the fact that threat actors have been known to abuse ColdFusion susceptibilities in their attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *