image
A critical bug in a Microsoft scripting engine, under active attack, has been patched as part of Microsoft’s Patch Tuesday security roundup. The vulnerability exists in Internet Explorer and allows an attacker to execute rogue code if a victim is coaxed into visiting a malicious web page, or, if they are tricked into opening a specially crafted Office document. “An attacker who successfully exploits the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker…could take control of an affected system,” Microsoft wrote in its advisory. Under an Office document attack scenario, Microsoft said an adversary might embed an ActiveX control marked “safe for initialization” in an Office document. If initialized, the malicious document could then directed to a rogue website, booby-trapped with specially crafted content that could exploit the vulnerability. The bug (CVE-2019-1429), first identified by Google Project Zero, is believed to be actively exploited in the wild, according to the computing giant. November Patch Tuesday Tackles Additional Critical and Important Bugs In total, Microsoft issued 75 CVEs – 11 critical and 64 important. the 10 additional critical bugs includes (CVE-2019-1457), an Excel security feature bypass which was publicly disclosed at the end of October and exploited as a zero-day. “[This] is a security feature bypass in Microsoft Office for Mac due to improper enforcement…

Source