Microsoft published a security advisory for Internet Explorer on Friday, January 17th. The vulnerability is a remote code execution (RCE) flaw in the way that the JavaScript engine handles objects in memory. An attacker can use it to run arbitrary code in the context of the currently logged-in user. As such, users without administrative privileges are less impacted.
The newly discovered flaw affects Internet Explorer 9, 10, and 11 on Windows 7 through to Windows 10, and the respective Windows Server versions. The bug could be used to take complete control of a system and install new software, read and modify data, and create new accounts with full user rights. The bug is rated critical for Windows client SKUs and moderate for Windows Server because Enhanced Security Configuration mode is enabled by default and it provides additional protection for sites not explicitly added to the Internet Explorer Trusted Sites zone.
Microsoft says that users would need to open a link to a specially crafted website for the vulnerability to be exploited. Hackers often use social engineering to persuade users to open malicious links found in emails. While the flaw is being actively exploited in the wild, Microsoft says that so far that it is aware of limited targeted attacks. A CVE has been assigned to the vulnerability (CVE-2020-0674) but there is no patch for the bug at the moment. Microsoft is working on providing a fix. Although it’s not clear whether a patch for Windows 7 will be made available for organizations not paying for Extended Security Updates (ESU), as the OS reached end-of-life January 15th.
This zero-day appears to be connected to a similar attack that was launched against Firefox users recently. Mozilla has since updated its browser to protect against the flaw. According to ZDNet’s Catalin Cimpanu, Mozilla credited Chinese cybersecurity company Qihoo 360 with reporting the bug. And apparently in a tweet this has now been deleted, Qihoo 360 said that there was also a similar flaw in Internet Explorer that was actively being exploited.
The official advice from Microsoft is to change permissions on jscript.dll. But taking this action can result in reduced functionality. The steps described in Microsoft’s security advisory involve taking ownership of the file and removing all access permissions to the DLL.
If your organization doesn’t use Internet Explorer, you could consider removing the component from Windows or using AppLocker, or a third-party application control solution, to block IE. While these methods aren’t likely to provide full protection against this zero-day, they will make it less likely that an attacker could persuade users to open a malicious site using Internet Explorer. In Windows 10, Windows Defender Application Guard, previously known as Device Guard, provides more robust application control than AppLocker.
For more information on blocking untrusted apps using AppLocker, see Block Untrusted Apps Using AppLocker on Petri.