Given the recent end of support for Windows 7 and Winders Server 2008 platforms, the timing could not be better for this vulnerability to make the news. Worse still, this Internet Explorer (IE) vulnerability applies to modern Windows platforms as well, and an official patch is not expected until February’s Patch Tuesday (the second Tuesday of every month), which means the official patch won’t be released for nearly three weeks. As of today, non-Server platforms get the Severity rating of Critical, while Server platforms are rated as Moderate.
The reason for the different Severity ratings is due to Windows Server platforms running IE in a restricted mode known as Enhanced Security Configuration. This is preconfigured to reduce the chances of administrators downloading and running specially crafted web content on a server. Non-Server users, however, are not as fortunate and need to be more aware of browsing habits. Ultimately regardless of your role (user or administrator), this vulnerability can only be exploited by going to an attacker-controlled web server or opening a specially crafted file that supports embedding Internet Explorer scripting engine content. The end result is that remote attackers can gain access to a system with the rights of said user – if the user accesses attacker-controlled content as the Administrator, the attacker gains those right, or else just standard user rights.
What’s more interesting is that IE versions 9, 10, and 11 use the newer jscript9.dll scripting engine by default. This engine is not impacted by this vulnerability. Only certain websites that still utilize the older scripting engine – jscript.dll (old engine) vs jscript9.dll (new engine) – are impacted. This begs the question of how a web server or specially crafted content can call upon the vulnerable engine, essentially forcing IE to go against its default and give way to this vulnerability. In any case, Microsoft did provide workarounds for this issue and it is detailed in their advisory. It’s worth noting that restricting access to jscript.dll can have negative outcomes depending on your organizations’ needs.
Summary and Takeaway
In summary, though this vulnerability exists on modern Windows platforms (Server or not), the threat requires specific circumstances to allow exploitation. An official patch isn’t expected until February’s Patch Tuesday (2/11), but 0patch has released a micropatch of its own. Obviously, this introduces other risks in terms of an outside entity patching another vendors’ product, so weigh your options carefully. Otherwise, Microsoft did provide a workaround and detailed steps for both 32- and 64-bit systems.
Consider contemplating other options. Is IE a must for your organization? Would changing web browsers affect your organization in a negative way? Is there any opposition for the switch? Questions like these need to be asked and answered. If swapping is simply not an option, assess the threat landscape for this vulnerability. For starters, the chances of this attack taking place vary – how you as the end user browse the web and conduct your routine is the determining factor. Consider that an attacker-controlled web server could exploit this, which stands true for many other threats, as does opening just about any other maliciously crafted content that somehow exploits various vulnerabilities in other products. In essence, if you vet a site and don’t follow links embedded in random emails, you should minimize your risk.