Patch Wednesday plugs actively exploited IE zero-day

By on
Patch Wednesday plugs actively exploited IE zero-day

"PrivExchange" flaw fixed too after proof-of-concept published.

Microsoft's monthly set of security patches released today handle over 70 vulnerabilities, including an exploited information disclosure in the Internet Explorer web browser that's built in with the company's Windows operating system.

According to Microsoft, the flaw is due to IE not handling objects in memory properly.

Attackers can explot this to text for the presence of files on disk when users are tricked into opening malicious websites.

The vulnerability is being exploited in both newer and older versions of Windows, but Microsoft did not say by whom and where.

Other serious flaws being patched today include a critical remote code execution bug in the Windows Server dynamic host control protocol (DHCP) component used to assign computers internet protocol addresses on networks.

Security vendor Tenable's research engineer Satnam Narang said the vulnerability received the highest Common Vulnerability Scoring System (CVSS) rating of 10/10.

It follows last month’s fix of another Windows DHCP client remote code execution vulnerability, Narang noted.

Microsoft also fixed an Exchange Server privilege escalation vulnerability dubbed PrivExchange that could be exploited to give an attacker with man-in-the-middle position Domain Administrator superuser rights.

This would give an attacker access to user credentials on the target domain.

The PrivExchange bug fix comes after proof-of-concept code was published for the flaw in January this year, but the vulnerability has not been actively exploited.


Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?