Apply Microsoft update to fix IE vulnerability
The information below was sent to U-M IT staff groups on February 11, 2020 It is intended for U-M IT staff who are responsible for university machines that have Microsoft Internet Explorer (IE) installed, as well as individuals who have IE on their own devices.
Summary
An update is now available for Microsoft Internet Explorer (IE) to fix the critical vulnerability reported on January 20. Apply the update as soon as possible after appropriate testing. Continue to use an alternative web browser until after you have applied the update.
Problem
In January, a remote code execution (RCE) vulnerability was found in the scripting engine of the Internet Explorer (IE) web browser. An update was not available at that time. See Information Assurance Alert: Avoid IE until vulnerability is patched for details. Microsoft released an update today that fixes the vulnerability.
Affected Versions
All supported Windows desktop and Server OS versions of Microsoft Internet Explorer (IE).
Action Items
Apply the update as soon as possible after appropriate testing. Run Windows Update to update IE. Continue to use an alternative web browser until you have applied the update.
Information for Users
If you have Microsoft Internet Explorer (IE) installed on your own devices that are not managed by the university, it is best to set it to update automatically. Update IE by running Windows Update. Continue to use an alternate web browser until after you have updated IE.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
References
- CVE-2020-0674 | Scripting Engine Memory Corruption Vulnerability (Microsoft, 2/11/20)
- Microsoft's February 2020 Patch Tuesday fixes 99 security bugs (ZDNet, 2/11/20)
- Microsoft's February 2020 Patch Tuesday Fixes 99 Flaws, IE 0day (Bleeping Computer, 2/11/20)
- CVE-2020-0674
- Information Assurance Alert: Avoid IE until vulnerability is patched (Safe Computing, 1/20/20)