Barely a week after Patch Tuesday, internet security company Qihoo 360 has discovered yet another vulnerability in Internet Explorer (IE), this time due to a remote code execution vulnerability in the jscript.dll scripting engine. The vulnerability, identified as CVE-2020-0674, is considered Critical for IE 11, and Moderate for IE 9 and IE 10.
The scope of this zero-day vulnerability
This vulnerability enables attackers to corrupt memory in IE and execute arbitrary code in the context of the current user. In simple terms, this means an attacker could hijack the privileges of the current user and, if the current user is logged on with administrative user rights, that could spell disaster for the targets. Once the attacker takes control of the machines, they could install programs, manipulate data, or even create accounts with full user rights. This flaw could be triggered and exploited in a web-based attack by tricking victims into visiting a website hosting specially crafted content designed to exploit this vulnerability.
Microsoft offers a workaround
Microsoft has provided mitigation steps to tackle this vulnerability while the company works on a permanent fix. It has published Security Advisory ADV200001, which includes details on using administrative commands to restrict access to the scripting library. The workarounds are as follows:
For 32-bit systems, enter the following command in an administrative command prompt:
takeown /f %windir%\system32\jscript.dll
cacls %windir%\system32\jscript.dll /E /P everyone:N
For 64-bit systems, enter the following command in an administrative command prompt:
takeown /f %windir%\syswow64\jscript.dll
cacls %windir%\syswow64\jscript.dll /E /P everyone:N
takeown /f %windir%\system32\jscript.dll
cacls %windir%\system32\jscript.dll /E /P everyone:N
Implementing these workarounds, however, might impair the functionalities of components or features relying on jscript.dll.
Patch status
The patch for this zero-day vulnerability is expected to come out on Patch Tuesday February 2020. The reason Microsoft isn’t scrambling to release a patch immediately might be because all supported versions of IE use Jscrip9.dll by default, which is not prone to this flaw. However, the flaw does affect versions of IE running on Windows 7, which stopped receiving support outside of Extended Security Updates (ESUs) on January 14, 2020. Windows 7 users who haven’t purchased the ESUs will not receive the patch adressed to mitigate this vulnerability on the next Patch Tuesday.
Though this vulnerability is being exploited in the wild, its targeted and not widespread for now. Following the workaround and patching the component once the patches are released should protect users in the meantime, and users who follow the workarounds should reverse them and install the patches once they’re released.