September 20, 2020

Microsoft releases a security update to Windows 10 to fix RCE vulnerabilities in IE browser

2 min read

Microsoft has pushed a security update to all versions of Windows 10 to address high-risk vulnerabilities in Internet Explorer. The problem that this security update solves is only the high-risk vulnerability of IE browser. However, this security update is not a monthly update and therefore will not be actively pushed to the user. In theory, only the user clicks the check for update button to download the installation.

security vulnerabilities Internet Explorer

According to the Microsoft Security Response Center announcement, this emergency security update addresses a high-risk security vulnerability discovered by the scripting engine component of Internet Explorer. The scripting engine has a remote code execution vulnerability when processing a browser’s in-memory objects, which can be exploited by an attacker to execute arbitrary code to corrupt memory. An attacker who successfully exploited this vulnerability could gain the same account privileges as the currently logged-in user. If the user logs in with an administrator, the attacker can also obtain it. With administrator privileges, an attacker can fully access and control a user’s computer, including installing a backdoor on a computer or creating a new administrative account.

The attack method is also very simple. The attacker only needs to create a specific web page and then induce the user to open it through the Internet, instant messaging tools or mail to attack.

As long as the user opens a specific web page, the user does not need to perform other operations, so the potential harm of the vulnerability is very large. Microsoft launched an emergency update to fix it.