Zero-day flaws in Internet Explorer and Exchange patched by Microsoft
Exploit code is known to be in circulation for both vulnerabilities


Two zero-day flaws affecting Internet Explorer and Exchange have been fixed by Microsoft as part of its weekly 'Patch Tuesday' update rollout. Both vulnerabilities were known to have exploit code in circulation.
One of the patches addressed an "important" privilege elevation flaw in Microsoft Exchange Server that could be used to gain administrative control over an Exchange server via a relatively straightforward man-in-the-middle attack. It was first revealed last month by security researchers, with proof-of-concept exploit code to accompany it.
Patches have been issued for Exchange Server 2010, 2013, 2016 and 2019. Microsoft's advisory warned that the vulnerability - which is designated as CVE-2019-0686 - warned that although no active exploits had been detected in the wild, exploits were likely.
The second issue relates to Internet Explorer and the way it handles objects in memory. Unlike the Exchange flaw, this vulnerability was not disclosed but was discovered by Google's Project Zero researchers being actively exploited in the wild.
"An attacker who successfully exploited this vulnerability could test for the presence of files on disk," Microsoft's advisory warned. "For an attack to be successful, an attacker must persuade a user to open a malicious website."
The flaw - CVE-2019-0676 - affects Internet Explorer versions 10 and 11 on all supported platforms, including Windows Server 2012, 2016 and 2019.
Along with these issues, this week's Patch Tuesday saw fixes for products including Edge, Windows, .NET Framework, Visual Studio Code and the ever-updated Adobe Flash Player.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
IT administrators should take note of the patches and work to apply them as the vulnerabilities are now out in the public's eye and thus potentially ripe for hackers to exploite them if they aren't fixed.
Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.
Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.
You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.
-
Asus ZenScreen Fold OLED MQ17QH review
Reviews A stunning foldable 17.3in OLED display – but it's too expensive to be anything more than a thrilling tech demo
By Sasha Muller
-
How the UK MoJ achieved secure networks for prisons and offices with Palo Alto Networks
Case study Adopting zero trust is a necessity when your own users are trying to launch cyber attacks
By Rory Bathgate
-
"Thinly spread": Questions raised over UK government’s latest cyber funding scheme
The funding will go towards bolstering cyber skills, though some industry experts have questioned the size of the price tag
By George Fitzmaurice
-
Modern enterprise cybersecurity
whitepaper Cultivating resilience with reduced detection and response times
By ITPro
-
IDC InfoBrief: How CIOs can achieve the promised benefits of sustainability
whitepaper CIOs are facing two conflicting strategic imperatives
By ITPro
-
The complete guide to the NIST cybersecurity framework
Whitepaper Find out how the NIST Cybersecurity framework is evolving
By ITPro
-
Are you prepared for the next attack? The state of application security in 2024
Webinar Aligning to NIS2 cybersecurity risk-management obligations in the EU
By ITPro
-
The economics of penetration testing for web application security
whitepaper Get the most value from your security solution
By ITPro
-
How to extend zero trust to your cloud workloads
Whitepaper Implement zero trust-based security across your entire ecosystem
By ITPro
-
Four requirements for a zero trust branch
Whitepaper Effectively navigate the complex and ever-changing demands of security and network connectivity
By ITPro