Attackers are using an unpatched vulnerability in Internet Explorer for targeted attacks while Microsoft is working to come up with a fix. The vulnerability allows remote code execution and can be exploited through a simple malicious website or email attachment.
Microsoft issued an advisory on Jan. 17 about the vulnerability, which affects IE 9, 10, and 11 on many current versions of Windows server and desktop. The company said it is aware of some limited targeted attacks that are exploiting the flaw, but gave no timeline for releasing a patch. The next regular patch day for Microsoft is Feb. 11, but the company has a history of publishing out-of-band patches for critical vulnerabilities, especially those that are under active attack.
“A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” the Microsoft advisory says.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
"Blocking access to [jscript.dll] can prevent exploitation of this and similar vulnerabilities
The exploitation scenarios for the vulnerability (CVE-2020-0674) are quite simple and would not require advanced technical skills. An attacker could construct a malicious website with the exploit code on it, or send an email with a malicious PDF or Office document. This is the type of attack tactic that would be commonly used by phishing gangs or cybercrime groups once they have the appropriate exploit code.
In the absence of an official patch, researchers recommend disabling access to a scripting DLL, which is normally on by default and has been used in the exploits targeting this vulnerability.
“jscript.dll is a library that provides compatibility with a deprecated version of JScript that was released in 2009. Blocking access to this library can prevent exploitation of this and similar vulnerabilities that may be present in this old technology. When Internet Explorer is used to browse the modern web, jscript9.dll is used by default,” said Will Dormann of the CERT/CC at Carnegie Mellon University.
Microsoft recommends the same mitigation strategy, but warns that blocking access to that DLL will also reduce the functionality of IE.
Clément Lecigne, a researcher from Google’s Threat Analysis Group, discovered the vulnerability, as did Elia Yu from Qihoo 360.