Author Topic: Actively Exploited IE 11 Zero-Day Bug Gets Temporary Patch  (Read 194 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35122
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Actively Exploited IE 11 Zero-Day Bug Gets Temporary Patch
« on: January 21, 2020, 06:45:25 PM »
A micropatch implementing Microsoft's workaround for the actively exploited zero-day remote code execution (RCE) vulnerability impacting Internet Explorer is now available via the 0patch platform until an official fix will be released.

Microsoft's advisory says that the company is aware of "limited targeted attacks" targeting the flaw tracked as CVE-2020-0674.

The vulnerability, reported by Clément Lecigne of Google’s Threat Analysis Group and Ella Yu from Qihoo 360, "could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user" according to Microsoft.

If the user is logged on with administrative permissions on a compromised device, attackers can take full control of the system allowing for program installation and data manipulation, or the possibility to create accounts with full user rights.

While no patch for this security issue has been provided so far, Redmond is working on a fix that could be pushed out as an out-of-band security update before next month's Patch Tuesday, just as it happened when a very similar Internet Explorer RCE zero-day was fixed in September 2019.



Implementing the workaround without the side effects

The critical CVE-2020-0674 flaw is present in jscript.dll and impacts Internet Explorer 9, 10, and 11 on multiple versions of Windows including Windows 7, Windows 8.1, Windows 10 and Windows Server.

While Microsoft provided a set of mitigation measures as a workaround for this issue, the company also said that implementing them "might result in reduced functionality for components or features that rely on jscript.dll."

As 0patch found, the mitigation provided by Redmond also comes with several other negative side effects including:

Quote
• Windows Media Player is reported to break on playing MP4 files.

• The sfc (Resource Checker), a tool that scans the integrity of all protected system files and replaces incorrect versions with correct Microsoft versions, chokes on jscript.dll with altered permissions.

• Printing to "Microsoft Print to PDF" is reported to break.

• Proxy automatic configuration scripts (PAC scripts) may not work.

0patch created and released a micropatch for Internet Explorer 11, the latest version of the web browser, ready to be applied on fully-patched devices running of Windows 7, Windows 10 v1709/v1803/v1809, Windows Server 2008 R2, and Windows Server 2019.

Applying it on these systems will also protect Windows 7 and Windows Server 2008 R2 users that haven't enrolled in the Extended Security Updates program in the event that Microsoft won't be releasing security fixes for their platform.

"Our micropatch works like a switch that disables or enables the use of vulnerable jscript.dll by Internet Explorer's browser component in various applications (IE, Outlook, Word,...)," 0patch co-founder Mitja Kolsek explained.

"If you're a 0patch user, you already have this micropatch downloaded to all your online computers with 0patch Agent, and - depending on your settings - already automatically applied to all processes using the Internet Explorer 11 engine for rendering content.

This includes Internet Explorer (obviously), Microsoft Word, Microsoft Outlook, and a variety of other applications."

Windows Media Player (WMP) is the exception, with 0patch deciding against providing a micropatch for the app as it displays a security warning when a potential attacker would want to use it as an attack vector to display a remote website.

A video of the micropatch in action on a vulnerable device is embedded below.



"Our micropatch is designed to avoid negative side effects of Microsoft's workaround [..]," Kolsek added.

"It can also be easily reverted (un-applied) with a switch of a button without leaving any traces, while the workaround changes the ownership on jscript.dll."

The micropatch can be downloaded and applied after creating a 0patch account, downloading the 0patch Agent, and registering the agent on the device.

More information on what happens if you apply the micropatch and Microsoft's future patch on the same devices, as well as details on how to deploy it on your organization's network, can be found at the end of 0Patch's blog post on the CVE-2020-0674 micropatch.

source
« Last Edit: January 21, 2020, 06:56:02 PM by javajolt »