What is the IE Vulnerability?

Microsoft recently released a security advisory alerting its users of an unpatched code-execution vulnerability in Internet Explorer.

The vulnerability (CVE-2020-0674), which is listed as high as critical in severity for Internet Explorer version 11 and moderate in severity for Internet Explorer versions 9 and 10, “exists in the way that the scripting engine handles objects in memory in Internet Explorer”, Microsoft stated in its advisory.

“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights,” Microsoft went on to explain in the advisory.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.”

How the IE Vulnerability was Discovered

Microsoft stated they had learned about the vulnerability by Clément Lecigne of Google’s Threat Analysis Group (TAG) and Ella Yu from Qihoo 360, which have apparently seen the weakness being exploited in limited, targeted attacks.

Google’s Threat Analysis Group has previously reported several vulnerabilities to Microsoft, including one in the Windows 7/2008R2 architecture (CVE-2019-0808) as well as another Internet Explorer exploit (CVE-2019-1367).

Managing the IE Vulnerability

Although the vulnerability sounds intense, Microsoft stated it’s not present in the supported versions of Internet Explorer (which uses Jscrip9.dll) and they instead took a firm stance on waiting until next month’s Patch Tuesday to produce remediation.

“Microsoft is aware of this vulnerability and working on a fix,” Microsoft stated at the end of their advisory. “Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.”

For those that require a quick fix, Microsoft detailed a workaround that leverages administrative commands to restrict access to the vulnerable scripting library. It should be noted that the workaround may result in reduced functionality for components or features that rely on jscript.dll.

Security professionals have also advised users to simply stop using Internet Explorer and instead switch to a more reliable and secure solution; however, this may not be easy for all as some existing web-based software still requires outdated version of Internet Explorer. Microsoft has even recently launched its own Chromium-based Edge browser to provide better compatibility to its customers.

Syxsense Manage and Syxsense Secure can easily resolve vulnerabilities across your entire environment. Find peace of mind by trusting your Syxsense and set up a free trial today.