Recently, news came out about a CVE-2020-0674 vulnerability in Microsoft’s Internet Explorer scripting engine based on how the browser handles memory. More specifically, within the JScript component of the scripting engine is an unspecified memory corruption vulnerability. What this means in practice is that any application that supports embedding Internet Explorer or its scripting engine can be leveraged as an attack vector.
Some examples are a Microsoft Office document, a specially crafted HTML page, and a PDF. Attackers can use these items to launch arbitrary code through the Internet Explorer scripting vulnerability. According to Microsoft’s announcement, “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.”
According to TechCrunch reporting, Microsoft doesn’t intend to fix the script until the monthly Patch Tuesday for February.
The vulnerability exists in jscript.dll, an old JavaScript library that was used in the IE8 browser, later this library was replaced by jscript9.dll which is currently loaded by default within IE9/10/11. Adversaries trigger the browser to load the old and vulnerable jscript by means of backwards-compatible javascript tags. Until a patch is released, organizations need to practice good email security and not open any documents that appear suspicious.
There have already been a limited number of attacks, and Microsoft will patch this vulnerability in their next round of security patches. Windows 7 will not receive this patch, however, because that operating system has reached the end of life.
Morphisec customers don’t need to worry about this unpatched vulnerability. The Morphisec Unified Threat Prevention Platform is purpose-built to halt in-memory attacks regardless of which application they affect.
In fact, our product protected customers even before adversaries knew there was a vulnerability in the IE scripting engine. Our customers will continue to be protected, even while Microsoft is still working on the patch. Morphisec customers using Windows 7 will also be protected, despite not receiving a patch for this vulnerability.
This is the power of moving target defense. We block every in-memory, browser-based attack before the payload can be delivered. We’ll continue to do that now and into the future.