Microsoft Releases Advisory on Zero-Day Vulnerability CVE-2020-0674, Workaround Provided

On January 17, Microsoft published an advisory (ADV200001) warning users about CVE-2020-0674, a remote code execution (RCE) vulnerability involving Microsoft’s Internet Explorer (IE) web browser. A patch has not yet been released as of the time of writing — however, Microsoft has acknowledged that it is aware of limited targeted attacks exploiting the flaw. All supported Windows desktop and Server OS versions can potentially be affected by the bug.

CVE-2020-0674 occurs due to how the scripting engine handles objects in memory in IE. Attackers could exploit this vulnerability to corrupt memory, allowing them to execute arbitrary code in the context of the current user. This can potentially allow an attacker to gain administrative rights if the user is logged on as an administrator. As with other RCE bugs, this means that threat actors could potentially create new accounts, modify data, or even install applications.

An attack can involve a threat actor creating a specially crafted website designed to exploit the vulnerability. Users can then be tricked into visiting it via social engineering techniques such as an email with embedded links.

Suggested workaround

While users are waiting for a patch to address CVE-2020-0674, Microsoft has published a workaround that restricts access to Jscript.dll:

For those using 32-bit systems, the following command should be entered at a command prompt as an administrator:

    takeown /f %windir%\system32\jscript.dll

    cacls %windir%\system32\jscript.dll /E /P everyone:N

On the other hand, those using 64-bit systems should enter the following command via a command prompt as an administrator:

    takeown /f %windir%\syswow64\jscript.dll

    cacls %windir%\syswow64\jscript.dll /E /P everyone:N

    takeown /f %windir%\system32\jscript.dll

    cacls %windir%\system32\jscript.dll /E /P everyone:N

However, Microsoft noted thatthe workaround might result in reduced functionality for components and features that use jscript.dll. Therefore, it is advised that users revert the workaround before applying the upcoming patch. This can be done via the following:

For 32-bit systems, the following command should be entered:  

    cacls %windir%\system32\jscript.dll /E /R everyone   

For 64-bit systems, the command is:

    cacls %windir%\system32\jscript.dll /E /R everyone   

    cacls %windir%\syswow64\jscript.dll /E /R everyone

Recommendations

Since CVE-2020-0674 is already actively being exploited, it is recommended that users apply the patch addressing the bug once it is available from Microsoft. Furthermore, implementing the workaround while waiting for the update can prevent attackers from targeting vulnerable systems. Another option is to consider blocking IE via network traffic blocking or group policies until an update is pushed. Take note that some applications or websites might have IE integrated and they might not work if IE is blocked.

Given the use of malicious websites as part of the vulnerability’s exploitation routine, organizations should ensure that their employees are properly educated when it comes to phishing attacks while individual users are encouraged to practice caution when it comes to clicking links, especially those embedded in a suspicious email message.

Trend Micro Solutions

Trend Micro™ Deep Security™ delivers leading automated protection to secure applications and workloads across new and end of support systems. Deep Security’s virtual patching automatically shields systems from new threats and vulnerabilities, minimizing disruptions and ensuring your critical applications and sensitive enterprise data stay protected.

The Trend Micro™ Deep Security™ and Vulnerability Protection solutions also protect systems and users from threats targeting CVE-2020-0674 via the following rule:

  • 1010133-Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674)

Trend Micro™ TippingPoint® customers are protected from threats and attacks that may exploit  CVE-2020-0674 via the following MainlineDV filter:

  • 36973: HTTP: Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.