Microsoft released an advisory urging users to install an emergency “out-of-band” security patch.
The advisory details two critical flaws — CVE-2019-1367 and CVE-2019-1255. Of the two bugs, CVE-2019-1367, which is a critical Internet Explorer zero-day, is the most important.
According to the tech giant, the IE zero-day is a remote code execution vulnerability that exists in the way Microsoft’s scripting engine handles objects in memory in Internet Explorer. Even more, the vulnerability could allow a remote attacker to take control of an affected system.
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” Microsoft says in its advisory.
Even worse, Microsoft said the vulnerability is under active exploitation and affects Internet Explorer versions 9, 10, and 11.
Users are urged to install the updates as soon as possible.