Microsoft Issues Zero-Day Advisory for Internet Explorer
The newly discovered flaw affects Internet Explorer 9, 10, and 11 on Windows 7 through to Windows 10, and the respective Windows Server versions. The bug could be used to take complete control of a system and install new software, read and modify data, and create new accounts with full user rights. The bug is rated critical for Windows client SKUs and moderate for Windows Server because Enhanced Security Configuration mode is enabled by default and it provides additional protection for sites not explicitly added to the Internet Explorer Trusted Sites zone.
Microsoft says that users would need to open a link to a specially crafted website for the vulnerability to be exploited. Hackers often use social engineering to persuade users to open malicious links found in emails. While the flaw is being actively exploited in the wild, Microsoft says that so far that it is aware of limited targeted attacks. A CVE has been assigned to the vulnerability (CVE-2020-0674) but there is no patch for the bug at the moment. Microsoft is working on providing a fix. Although it’s not clear whether a patch for Windows 7 will be made available for organizations not paying for Extended Security Updates (ESU), as the OS reached end-of-life January 15th.
This zero-day appears to be connected to a similar attack that was launched against Firefox users recently. Mozilla has since updated its browser to protect against the flaw. According to ZDNet’s Catalin Cimpanu, Mozilla credited Chinese cybersecurity company Qihoo 360 with reporting the bug. And apparently in a tweet this has now been deleted, Qihoo 360 said that there was also a similar flaw in Internet Explorer that was actively being exploited.
Mitigating the Internet Explorer Vulnerability
The official advice from Microsoft is to change permissions on jscript.dll. But taking this action can result in reduced functionality. The steps described in Microsoft’s security advisory involve taking ownership of the file and removing all access permissions to the DLL.
If your organization doesn’t use Internet Explorer, you could consider removing the component from Windows or using AppLocker, or a third-party application control solution, to block IE. While these methods aren’t likely to provide full protection against this zero-day, they will make it less likely that an attacker could persuade users to open a malicious site using Internet Explorer. In Windows 10, Windows Defender Application Guard, previously known as Device Guard, provides more robust application control than AppLocker.
For more information on blocking untrusted apps using AppLocker, see Block Untrusted Apps Using AppLocker on Petri.
More in Windows Server
Microsoft to Fix Windows Bug Breaking Wi-Fi hotspots After Installing Latest Patch Tuesday Update
Jun 17, 2022 | Rabia Noureen
Microsoft Confirms Windows Server Backup Issues in This Month's Patch Tuesday Updates
Jun 16, 2022 | Rabia Noureen
Microsoft Acknowledges Office Zero-Day Flaw Affecting Windows Diagnostic Tool
May 31, 2022 | Rabia Noureen
Microsoft Releases Out-Of-Band Patches to Fix Windows AD Authentication Issues
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Microsoft Confirms May 2022 Patch Tuesday Updates Cause AD Authentication Issues
May 12, 2022 | Rabia Noureen
Most popular on petri