Avoid IE until vulnerability is patched
The information below was sent to U-M IT staff groups in email January 20, 2010. It is intended for U-M IT staff who are responsible for university machines that have Microsoft Internet Explorer installed, as well as individuals who have IE on their own devices.
2/11/20 update: Microsoft has released an update that fixes the vulnerability. See Information Assurance Alert: Apply Microsoft update to fix IE vulnerability (2/11/20).
1/21/20 update: Some business applications and sites only work with IE. If IE is your only option for a particular work-related task, you may use it. Use it only for the function that absolutely requires it. Do not use IE for casual browsing or to visit other sites. Use a different browser for all other sites and web-based applications.
Summary
The Microsoft Internet Explorer (IE) web browser has a critical vulnerability that is being exploited in the wild. A patch is not yet available. If you still use IE, please use an alternate web browser (such as Microsoft Edge, Google Chrome, or Mozilla Firefox) until a patch is available.
Problem
A remote code execution (RCE) vulnerability has been found in the scripting engine of the Internet Explorer (IE) web browser. This critical vulnerability (CVE-2020-0674) impacts IE across all versions of Windows and can corrupt memory so that an attacker can execute arbitrary code. According to Microsoft, "if the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system." Microsoft has not yet released a patch for this vulnerability.
Threats
There is as yet no patch for this critical vulnerability, and it is being exploited in the wild. An attacker who successfully exploits the vulnerability could gain the same user rights as the current user.
Affected Versions
All supported Windows desktop and Server OS versions of Microsoft Internet Explorer.
Action Items
Use an alternate web browser until Microsoft releases an update to IE. Apply the update when it is available after appropriate testing.
Microsoft offers some mitigation options and work-arounds for those with technical expertise at ADV200001 | Microsoft Guidance on Scripting Engine Memory Corruption Vulnerability.
Technical Details
According to Microsoft: "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user."
According to the Carnegie Mellon CERT Coordination Center: “Microsoft Internet Explorer contains a scripting engine, which handles execution of scripting languages such as VBScript and JScript. The scripting engine JScript component contains an unspecified memory corruption vulnerability. Any application that supports embedding Internet Explorer or its scripting engine component may be used as an attack vector for this vulnerability."
The center also noted: "jscript.dll is a library that provides compatibility with a deprecated version of JScript that was released in 2009. Blocking access to this library can prevent exploitation of this and similar vulnerabilities that may be present in this old technology.”
How We Protect U-M
- Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
- IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
- IA provides vulnerability management guidance to the university.
Information for Users
If you have Microsoft Internet Explorer (IE) installed on your own devices that are not managed by the university, use an alternate web browser (for example, Microsoft Edge, Google Chrome, or Mozilla Firefox) for now until an IE update is available and you have applied it.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
References
- New Internet Explorer zero‑day remains unpatched (We Live Security, 1/20/20)
- ADV200001 | Microsoft Guidance on Scripting Engine Memory Corruption Vulnerability (Microsoft, 1/17/20; updated 1/19/20)
- Microsoft issues Internet Explorer zero-day warning, but there’s no patch yet (Graham Cluley, 1/19/20)
- U.S. Government Confirms Critical Browser Zero-Day Security Warning For Windows Users (Forbes, 1/18/20)
- Microsoft warns about Internet Explorer zero-day, but no patch yet (ZDNet, 1/17/20)
- Microsoft Internet Explorer Scripting Engine memory corruption vulnerability (Carnegie Mellon University, CERT Coordination Center, 1/17/20; revised 1/18/20)
- Microsoft says it will fix an Internet Explorer security bug under active attack (Tech Crunch, 1/18/20)
- CVE-2020-0674