Microsoft advises users to apply workarounds while it works on patches
Microsoft warns that an as-yet unpatched scripting engine memory corruption vulnerability in Internet Explorer (IE) is being actively exploited in targeted attacks.
The vulnerability (CVE-2020-0674) has the potential to corrupt the browser’s memory in such a way that an attacker could execute arbitrary code on a victim’s device.
Successful exploitation of the remote code execution flaw would allow miscreants to gain the same privileges as the current user. Thereafter, an attacker would be able to install programs; view, change, or delete data; or create new accounts with full user rights, Microsoft admits.
The attacker would need to trick a victim into viewing a maliciously constructed web page email attachment, PDF file, Microsoft Office document, or any other document that supports embedded Internet Explorer scripting engine content, in order to mount an attack.
IE 10 and IE 11 on a range of platforms are affected including Windows 10, Windows RT 8.1, Windows Server 2008 through to Windows Server 2019 are all affected.
Windows 7 systems are also affected – particularly bad news since the aging but still widely used system was taken out of support by Microsoft earlier this month, so security patches will not be forthcoming unless Microsoft treats the flaw as a special case.
No immediate fix to this vulnerability is available, even on supported systems.
In its advisory, Microsoft said it is aware of “limited targeted attacks” against the vulnerability adding that it is “working on a fix”.
Redmond’s security response team has evidently decided that the security flaw is not of sufficient gravity to issue an out of band fix.
All signs point to updates in the next edition of Patch Tuesday, which lands February 11.
Clément Lecigne of Google’s Threat Analysis Group and Ella Yu from Qihoo 360 are jointly credited with uncovering the vulnerability.
In an alert, the US government’s Cybersecurity and Infrastructure Security Agency (CISA) advised system administrators to consider using Microsoft Edge or alternative browsers pending the availability of patches from Microsoft.
“CISA encourages users and administrators to review Microsoft’s Advisory ADV20001 and CERT/CC’s Vulnerability Note VU#338824 for more information, implement workarounds, and apply updates when available,” it said.
“Consider using Microsoft Edge or an alternate browser until patches are made available.”
Behind the bug
Microsoft Internet Explorer contains a scripting engine that handles execution of scripting languages such as VBScript and JScript. The vulnerability resides in the scripting engine JScript component of Internet Explorer, according to US-CERT.
The now-patched type confusion vulnerability (CVE-2019-17026) – also discovered by Qihoo 360 researchers – impacts the Mozilla browser’s IonMonkey JIT compiler and could potentially allow attackers to execute arbitrary code on a victim’s device.
The Daily Swig has approached Qihoo 360 for comment relating to the rumors that the vulnerabilities may be linked.
YOU MIGHT ALSO LIKE First externally discovered flaws in Microsoft Edge (Chromium) uncovered