Microsoft Released Out-of-Band Security Updates - How to Detect and Remediate

Microsoft released an out-of-band update yesterday that fixes two critical vulnerabilities – The Internet Explorer remote code execution vulnerability (CVE-2019-1367) and Microsoft Defender Denial of Service Vulnerability (CVE-2019-1255).

According to the Microsoft advisory CVE-2019-1367, the Internet Explorer scripting engine vulnerability has been exploited in active attacks in the wild. Users are advised to manually update their systems immediately.

UPDATE: Added methods to detect Internet Explorer installs vulnerable to CVE-2019-1367 using only Free Qualys Global IT Asset Inventory, as well as how to patch by CVE with Qualys Patch Management.

CVE Details

CVE-2019-1367: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could run arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

CVE-2019-1255: A denial of service vulnerability exists when Microsoft Defender improperly handles files. An attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries. To exploit the vulnerability, an attacker would first require execution on the victim system. The security update addresses the vulnerability by ensuring Microsoft Defender properly handles files.

Detecting CVE-2019-1255 and CVE-2019-1367 with Qualys VM

The best method for identifying vulnerable hosts is through the Qualys Cloud Agent or via Qualys authenticated scanning. Qualys has issued QIDs 91577 and 100388 for Qualys Vulnerability Management that covers CVE-2019-1255 and CVE-2019-1367 respectively. These QIDs are included in signature version VULNSIGS-2.4.708-2.

You can search for this within AssetView or the VM Dashboard by using the following QQL query:

vulnerabilities.vulnerability:(qid:91577 OR qid:100388)

UPDATE: Qualys has also published an importable widget for tracking this vulnerability in the Qualys VM Dashboard Beta.

Detecting Vulnerable Internet Explorer installs with Free Global IT Asset Inventory

Using Free Global IT Asset Inventory, you can also use the following search to find any vulnerable hosts by identifying the specific versions of vulnerable applications:

software:(publisher:`Microsoft` and product:`Internet Explorer` and ((marketVersion:`9` and version<9.0.8112.21372) or (marketVersion:`10` and version<10.0.9200.22881) or (marketVersion:`11` and version<11.0.9600.19467)))

Qualys Global IT Asset Inventory is free for unlimited assets. Qualys AI automates the collection, normalization, and categorization of your inventory data – providing a single source of truth for your IT, security, and compliance teams.

Workaround: Restrict Access to JScript.dll

Microsoft has listed workarounds for CVE-2019-1367 to protect systems, if the patch cannot be applied right away:

For 32-bit systems, enter the following command at an administrative command prompt:

takeown /f %windir%\system32\jscript.dll
cacls %windir%\system32\jscript.dll /E /P everyone:N

For 64-bit systems, enter the following command at an administrative command prompt:

takeown /f %windir%\syswow64\jscript.dll
cacls %windir%\syswow64\jscript.dll /E /P everyone:N
takeown /f %windir%\system32\jscript.dll
cacls %windir%\system32\jscript.dll /E /P everyone:N

Remediating with Qualys Patch Management:

Customers using Qualys Patch Management with Cloud Agent can search for cve:`CVE-2019-1367` in the Patch Catalog, and click “Missing” in the side panel to locate and deploy patches to all affected Operating Systems.

For QID 91577 (CVE-2019-1255), there is no patch available. Defender will download the update as part of its regular definition updates.

For emergency patching, you can create an On-demand Job and target it at the “Cloud Agent” tag to cover all hosts. For continuous patching, a Daily Job can be created with a 24-hour “Patch Window” to ensure all hosts will continue to receive the required patches. This patch does require a reboot.

Targeting specific operating systems is not necessary, and all patches can be placed into a single job. The Qualys Cloud Agent already knows which patch is needed for each host.