Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Security|Windows Client OS|Windows Server

Microsoft Issues Zero-Day Advisory for Internet Explorer

Microsoft published a security advisory for Internet Explorer on Friday, January 17th. The vulnerability is a remote code execution (RCE) flaw in the way that the JavaScript engine handles objects in memory. An attacker can use it to run arbitrary code in the context of the currently logged-in user. As such, users without administrative privileges are less impacted.

The newly discovered flaw affects Internet Explorer 9, 10, and 11 on Windows 7 through to Windows 10, and the respective Windows Server versions. The bug could be used to take complete control of a system and install new software, read and modify data, and create new accounts with full user rights. The bug is rated critical for Windows client SKUs and moderate for Windows Server because Enhanced Security Configuration mode is enabled by default and it provides additional protection for sites not explicitly added to the Internet Explorer Trusted Sites zone.

Microsoft says that users would need to open a link to a specially crafted website for the vulnerability to be exploited. Hackers often use social engineering to persuade users to open malicious links found in emails. While the flaw is being actively exploited in the wild, Microsoft says that so far that it is aware of limited targeted attacks. A CVE has been assigned to the vulnerability (CVE-2020-0674) but there is no patch for the bug at the moment. Microsoft is working on providing a fix. Although it’s not clear whether a patch for Windows 7 will be made available for organizations not paying for Extended Security Updates (ESU), as the OS reached end-of-life January 15th.

This zero-day appears to be connected to a similar attack that was launched against Firefox users recently. Mozilla has since updated its browser to protect against the flaw. According to ZDNet’s Catalin Cimpanu, Mozilla credited Chinese cybersecurity company Qihoo 360 with reporting the bug. And apparently in a tweet this has now been deleted, Qihoo 360 said that there was also a similar flaw in Internet Explorer that was actively being exploited.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Mitigating the Internet Explorer Vulnerability

The official advice from Microsoft is to change permissions on jscript.dll. But taking this action can result in reduced functionality. The steps described in Microsoft’s security advisory involve taking ownership of the file and removing all access permissions to the DLL.

If your organization doesn’t use Internet Explorer, you could consider removing the component from Windows or using AppLocker, or a third-party application control solution, to block IE. While these methods aren’t likely to provide full protection against this zero-day, they will make it less likely that an attacker could persuade users to open a malicious site using Internet Explorer. In Windows 10, Windows Defender Application Guard, previously known as Device Guard, provides more robust application control than AppLocker.

For more information on blocking untrusted apps using AppLocker, see Block Untrusted Apps Using AppLocker on Petri.


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: