Microsoft has delivered an update for all supported Windows 10 versions bringing only one fix to an Internet Explorer vulnerability. The exploit is a remote code execution bug that could enable an attacker to gain admin rights if the current user is logged on with administrative user rights.
Tracked as CVE-2019-136, here is how the software maker explains this scripting engine memory corruption vulnerability:
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.
The fix arrives with today's Build 18362.357 (KB4522016) for Windows 10 May 2019 Update. Other versions have also received this fix. KB4522015 (Build 17763.740) is available for version 1809 aka the October 2018 Update, KB4522014 (Build 17134.1009) for version 1903 aka the April 2018 Update, KB4522012 (Build 16299.1392) for version 1709, KB4522011 (Build 15063.2046) for version 1703, KB4522010 (Build 14393.3206) for version 1607, and KB4522009 (Build 10240.18334) for the original Windows 10.
