Vulnerabilities > CVE-2019-1367 - Out-of-bounds Write vulnerability in Microsoft Internet Explorer 10/11/9
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS19_SEP_WIN10_IE_OOB.NASL description The remote Windows host is missing a security update. It is, therefore, affected by a remote code execution vulnerability in the way that the scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. last seen 2020-06-01 modified 2020-06-02 plugin id 129167 published 2019-09-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129167 title Windows 10, Server 2016 and Server 2019 September 2019 Security Update (CVE-2019-1367) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the Microsoft Security Updates API. The text # itself is copyright (C) Microsoft Corporation. # include("compat.inc"); if (description) { script_id(129167); script_version("1.7"); script_cvs_date("Date: 2020/01/30"); script_cve_id("CVE-2019-1367"); script_xref(name:"MSKB", value:"4522009"); script_xref(name:"MSKB", value:"4522010"); script_xref(name:"MSKB", value:"4522011"); script_xref(name:"MSKB", value:"4522012"); script_xref(name:"MSKB", value:"4522014"); script_xref(name:"MSKB", value:"4522015"); script_xref(name:"MSKB", value:"4522016"); script_xref(name:"MSFT", value:"MS19-4522009"); script_xref(name:"MSFT", value:"MS19-4522010"); script_xref(name:"MSFT", value:"MS19-4522011"); script_xref(name:"MSFT", value:"MS19-4522012"); script_xref(name:"MSFT", value:"MS19-4522014"); script_xref(name:"MSFT", value:"MS19-4522015"); script_xref(name:"MSFT", value:"MS19-4522016"); script_name(english:"Windows 10, Server 2016 and Server 2019 September 2019 Security Update (CVE-2019-1367)"); script_summary(english:"Checks for rollup."); script_set_attribute(attribute:"synopsis", value: "The remote Windows host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote Windows host is missing a security update. It is, therefore, affected by a remote code execution vulnerability in the way that the scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user."); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4522009"); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4522010"); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4522011"); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4522012"); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4522014"); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4522015"); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4522016"); # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6fcaf7ca"); script_set_attribute(attribute:"solution", value: "Microsoft has released the following security updates to address this issue: -4522009 -4522010 -4522011 -4522012 -4522014 -4522015 -4522016"); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1367"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/23"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/24"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = "MS19-09"; kbs = make_list( '4522009', '4522010', '4522011', '4522012', '4522014', '4522015', '4522016' ); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( smb_check_rollup(os:"10", sp:0, os_build:"10240", rollup_date:"09_2019_oob", bulletin:bulletin, rollup_kb_list:[4522009]) || smb_check_rollup(os:"10", sp:0, os_build:"14393", rollup_date:"09_2019_oob", bulletin:bulletin, rollup_kb_list:[4522010]) || smb_check_rollup(os:"10", sp:0, os_build:"15063", rollup_date:"09_2019_oob", bulletin:bulletin, rollup_kb_list:[4522011]) || smb_check_rollup(os:"10", sp:0, os_build:"16299", rollup_date:"09_2019_oob", bulletin:bulletin, rollup_kb_list:[4522012]) || smb_check_rollup(os:"10", sp:0, os_build:"17134", rollup_date:"09_2019_oob", bulletin:bulletin, rollup_kb_list:[4522014]) || smb_check_rollup(os:"10", sp:0, os_build:"17763", rollup_date:"09_2019_oob", bulletin:bulletin, rollup_kb_list:[4522015]) || smb_check_rollup(os:"10", sp:0, os_build:"18362", rollup_date:"09_2019_oob", bulletin:bulletin, rollup_kb_list:[4522016]) ) { replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, hotfix_get_audit_report()); }NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS19_SEP_IE_OOB.NASL description The Internet Explorer installation on the remote host is missing security updates. It is, therefore, affected by a remote code execution vulnerability in the way that the scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. last seen 2020-06-01 modified 2020-06-02 plugin id 129166 published 2019-09-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129166 title Security Update for Internet Explorer (CVE-2019-1367) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the Microsoft Security Updates API. The text # itself is copyright (C) Microsoft Corporation. # include("compat.inc"); if (description) { script_id(129166); script_version("1.6"); script_cvs_date("Date: 2020/01/30"); script_cve_id("CVE-2019-1367"); script_xref(name:"MSKB", value:"4522007"); script_xref(name:"MSFT", value:"MS19-4522007"); script_name(english:"Security Update for Internet Explorer (CVE-2019-1367)"); script_summary(english:"Checks for Microsoft security updates."); script_set_attribute(attribute:"synopsis", value: "The Internet Explorer installation on the remote host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The Internet Explorer installation on the remote host is missing security updates. It is, therefore, affected by a remote code execution vulnerability in the way that the scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user."); script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4522007"); # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6fcaf7ca"); script_set_attribute(attribute:"solution", value: "Microsoft has released the following security update to address this issue: -KB4522007"); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1367"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/23"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/24"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS19-09'; kbs = make_list('4522007'); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); os = get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1); if ("Windows 8" >< productname && "8.1" >!< productname) audit(AUDIT_OS_SP_NOT_VULN); if ("Vista" >< productname) audit(AUDIT_OS_SP_NOT_VULN); if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE); share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 8.1 / Windows Server 2012 R2 # Internet Explorer 11 hotfix_is_vulnerable(os:"6.3", sp:0, file:"mshtml.dll", version:"11.0.9600.19467", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:"4522007") || # Windows Server 2012 # Internet Explorer 10 hotfix_is_vulnerable(os:"6.2", sp:0, file:"mshtml.dll", version:"10.0.9200.22879", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:"4522007") || # Internet Explorer 11 hotfix_is_vulnerable(os:"6.2", sp:0, file:"mshtml.dll", version:"11.0.9600.19467", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:"4522007") || # Windows 7 / Server 2008 R2 # Internet Explorer 11 hotfix_is_vulnerable(os:"6.1", sp:1, file:"mshtml.dll", version:"11.0.9600.19467", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:"4522007") || # Windows Server 2008 # Internet Explorer 9 hotfix_is_vulnerable(os:"6.0", sp:2, file:"mshtml.dll", version:"9.0.8112.21372", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:"4522007") ) { set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, hotfix_get_audit_report()); }
The Hacker News
| id | THN:AB828E4EB75F9C7BC37B672D9FD0092E |
| last seen | 2019-09-24 |
| modified | 2019-09-24 |
| published | 2019-09-24 |
| reporter | The Hacker News |
| source | https://thehackernews.com/2019/09/windows-update-zero-day.html |
| title | Microsoft Releases Emergency Patches for IE 0-Day and Windows Defender Flaw |