New Internet Explorer zero‑day remains unpatched

Microsoft has released a security advisory alerting users to an as-yet unpatched vulnerability in its Internet Explorer (IE) web browser that is being exploited in limited targeted attacks.

The zero-day, which is tracked as CVE-2020-0674, is a memory corruption issue in the browser’s scripting engine. Its exploitation could enable remote attackers to run code of their choice on the compromised system.

The remote-code execution (RCE) security hole affects IE versions 9, 10 and 11 running on all supported Windows desktop and server versions, as well as the no-longer-supported Windows 7. The vulnerability can be exploited by attackers who lure you to visit a malicious website via the browser, typically by sending an email. It could ultimately enable crooks to install programs, tamper with data or set up new accounts with full user rights on the affected system.

Déjà vu with a twist

If most of this sounds familiar, it is for good reason. As recently as September and November 2019, respectively, the company disclosed two other zero-days in the browser.

There is an important difference, though. This time no patch is available – for the time being, anyway. Instead, it appears that the fix will not be rolled out until the next Patch Tuesday, February 11^th.

“Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month,” said the tech giant.

Other than that, it is thought that the vulnerability may be related to another recently-disclosed zero-day flaw – this time in the Firefox browser. Mozilla released a patch for the latter vulnerability earlier this month.

What to do?

The newly-disclosed flaw can be mitigated by restricting access to the JavaScript component JScript.dll. Also, Microsoft noted that the risk of exploitation is lower on Windows Server, where Internet Explorer is, by default, locked down to protect against browser-based attacks. This restricted mode, called Enhanced Security Configuration, “can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server”, said Microsoft.

Meanwhile, the United States’ Cybersecurity and Infrastructure Security Agency (CISA) released its own advisory, encouraging users and admins to implement workarounds and switch to other browsers until a patch is available.

Indeed, Microsoft’s own cybersecurity chief Chris Jackson said back in 2019 that Internet Explorer is a “compatibility solution”. In other words, it often works for businesses that are reliant on it for the sake of compatibility with legacy web apps. The browser may not be the best solution for your daily web browsing needs.

Just days ago, Microsoft launched its new Chromium-based Edge browser.

20 Jan 2020 – 04:51PM