• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

CVE-2020-0674: Internet Explorer Vulnerability

January 22, 2020 By Emil Hozan

Given the recent end of support for Windows 7 and Winders Server 2008 platforms, the timing could not be better for this vulnerability to make the news. Worse still, this Internet Explorer (IE) vulnerability applies to modern Windows platforms as well, and an official patch is not expected until February’s Patch Tuesday (the second Tuesday of every month), which means the official patch won’t be released for nearly three weeks. As of today, non-Server platforms get the Severity rating of Critical, while Server platforms are rated as Moderate.

The reason for the different Severity ratings is due to Windows Server platforms running IE in a restricted mode known as Enhanced Security Configuration. This is preconfigured to reduce the chances of administrators downloading and running specially crafted web content on a server. Non-Server users, however, are not as fortunate and need to be more aware of browsing habits. Ultimately regardless of your role (user or administrator), this vulnerability can only be exploited by going to an attacker-controlled web server or opening a specially crafted file that supports embedding Internet Explorer scripting engine content. The end result is that remote attackers can gain access to a system with the rights of said user – if the user accesses attacker-controlled content as the Administrator, the attacker gains those right, or else just standard user rights.

What’s more interesting is that IE versions 9, 10, and 11 use the newer jscript9.dll scripting engine by default. This engine is not impacted by this vulnerability. Only certain websites that still utilize the older scripting engine – jscript.dll (old engine) vs jscript9.dll (new engine) – are impacted. This begs the question of how a web server or specially crafted content can call upon the vulnerable engine, essentially forcing IE to go against its default and give way to this vulnerability. In any case, Microsoft did provide workarounds for this issue and it is detailed in their advisory. It’s worth noting that restricting access to jscript.dll can have negative outcomes depending on your organizations’ needs.

 

Summary and Takeaway

In summary, though this vulnerability exists on modern Windows platforms (Server or not), the threat requires specific circumstances to allow exploitation. An official patch isn’t expected until February’s Patch Tuesday (2/11), but 0patch has released a micropatch of its own. Obviously, this introduces other risks in terms of an outside entity patching another vendors’ product, so weigh your options carefully. Otherwise, Microsoft did provide a workaround and detailed steps for both 32- and 64-bit systems.

Consider contemplating other options. Is IE a must for your organization? Would changing web browsers affect your organization in a negative way? Is there any opposition for the switch? Questions like these need to be asked and answered. If swapping is simply not an option, assess the threat landscape for this vulnerability. For starters, the chances of this attack taking place vary – how you as the end user browse the web and conduct your routine is the determining factor. Consider that an attacker-controlled web server could exploit this, which stands true for many other threats, as does opening just about any other maliciously crafted content that somehow exploits various vulnerabilities in other products. In essence, if you vet a site and don’t follow links embedded in random emails, you should minimize your risk.

Share This:

Related

Filed Under: Editorial Articles Tagged With: IE 9, IE10, IE11, Internet Explorer, Zero day exploit

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use