Microsoft announced that the IE 0day vulnerability has been exploited and no patches

On January 17, Microsoft issued a security bulletin (ADV200001) stating that an IE 0day (CVE-2020-0674) had been utilized and that there were no patches, only contingency and mitigation measures. Microsoft said it was rolling out a solution that would be released later. Microsoft said the IE 0day had been exploited in the wild, noting that the exploits were only in “limited target attacks” and that the 0day was not used on a large scale, but was only part of a small number of user attacks.

These limited IE 0day attacks have been alleged to have been part of a larger hacking campaign involving attacks against Firefox users.

Details of the vulnerability

According to the announcement, Microsoft described the IE 0day vulnerability as a remote code execution vulnerability (RCE), caused by a memory corruption vulnerability in the IE script engine, the browser component responsible for processing JavaScript code.

Microsoft describes 0day as a remote code execution vulnerability in the way the script engine processes IE memory objects. The vulnerability can damage memory, causing an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploits the vulnerability can gain the same user rights as the current user. If the current user logs on with administrator user rights, an attacker who successfully exploits the vulnerability can take control of the affected system. An attacker would then be able to install the program, view, change, or delete data, or create a new account with full user rights.

In a web-based attack scenario, an attacker can host a specially constructed Web site that can exploit the vulnerability through an IE browser, and then convince the user to view the Web site, for example by sending a message. For example, send an e-mail message.

The solution

By default, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019 runs in “enhanced security configuration” restricted mode. The Enhanced Security Configuration mode is a set of preconfigured settings for IE that reduces the likelihood that a user or administrator will download and run specially constructed web content on the server. It is a mitigating factor for sites that have not yet been added to the IE Trusted site area.

Contingency measures

Restrict access to JScript.dll.

For 32-bit systems, enter the following command in the administrator command prompt:

taketown /f %windir%-system32-jscript.dll

cacls %windir%-system32-jscript.dll/E/P everyone: N

For 64-bit systems, enter the following command in the administrator command prompt:

taketown /f %windir%syswow64’jscript.dll

cacls %windir%syswow64?jscript.dll /E/P everyone: N

taketown /f %windir%-system32-jscript.dll

cacls %windir%-system32-jscript.dll/E/P everyone: N

Notably, Microsoft says applying this strain may result in fewer components or features that rely on javascript.dl. Therefore, Microsoft recommends installing updates as soon as possible to achieve complete protection. You need to restore the mitigation steps to return to the full state before installing the update.

By default, IE11, IE10, and IE9 users use Jscript9.dll that is not affected by the vulnerability. This vulnerability affects only some sites that use the Jscript script engine.

Undoing contingency measures Microsoft also gave steps to undo contingency measures:

For 32-bit systems, enter the following command in the administrator command prompt:

cacls %windir%-system32-jscript.dll/E/R everyone

For 64-bit systems, enter the following command in the administrator command prompt:

cacls %windir%/system32/jscript.dll /E/R everyone cacls %windir%syswow64’jscript.dll /E/R everyone

Microsoft says all supported versions of Windows desktops and Server OS are affected.

Here i suggest that you can update on the timely update it.

Reference Source: Microsoft Official Announcement