Microsoft announced on Friday that it’s in the process of developing a patch for a zero-day vulnerability in Internet Explorer that has been exploited in targeted attacks, reportedly by a threat group tracked as DarkHotel. Until a fix becomes available, the company has shared some workarounds and mitigations.
The flaw, tracked as CVE-2020-0674 and described as a memory corruption issue, affects the scripting engine in Internet Explorer, specifically a JScript component. The problematic component is a library named jscript.dll, which provides compatibility with a deprecated version of the JScript scripting language.
According to Microsoft, the vulnerability can be exploited for remote code execution in the context of the targeted user. The attacker must convince the target to visit a specially crafted website in order to exploit the vulnerability. The flaw can be leveraged to take control of an affected system if the targeted user has administrator privileges.
Microsoft says the vulnerability impacts Internet Explorer 9, 10 and 11 when running on Windows 7, 8.1, 10, Server 2008, Server 2012, Server 2016, and Server 2019.
The company says the risk is mitigated on Windows Server because Internet Explorer runs by default in a restricted mode named Enhanced Security Configuration, which reduces the chances of a user or admin downloading and running malicious content on a server.
The tech giant has also pointed out that all supported versions of Internet Explorer use Jscrip9.dll by default, which is not affected by the vulnerability. However, the flaw affects certain websites that rely on jscript as the scripting engine.
Until a patch is released, Microsoft has advised users to enter specific administrative commands to restrict access to jscript.dll. Users will later need to revert this workaround before installing any future updates.
Microsoft says it has learned about the vulnerability from Google’s Threat Analysis Group and Chinese cybersecurity firm Qihoo 360, which have apparently seen the weakness being exploited in limited, targeted attacks.
“Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers,” the company said in its advisory, suggesting that a patch may not come too soon.
Qihoo 360 has found evidence suggesting (report in Chinese) that the vulnerability has been exploited by the DarkHotel threat group, which some believe may be sponsored by South Korea. DarkHotel has also been linked recently to attacks exploiting a zero-day flaw in Chrome.
Clément Lecigne, the Google researcher credited for the vulnerability, said on Twitter that “hopefully one day” they will be able to release more details about the exploits involving CVE-2020-0674.
Google’s Threat Analysis Group has reported several vulnerabilities to Microsoft in the past years, including CVE-2018-8653, CVE-2019-1367, CVE-2019-0676, CVE-2019-1429 and CVE-2019-0808.
Some users are now wondering if Microsoft will also release a patch for Windows 7, which reached end of life on January 14.
In the meantime, 0patch, which provides third-party micropatches for serious vulnerabilities, has promised to release a fix for CVE-2020-0674 this week. The fix will prevent IE from loading jscript.dll.
Security professionals have advised users to simply stop using Internet Explorer, but as an advisory published last week by Siemens shows, some web-based software can still only run in Internet Explorer.
*Updated with information from Qihoo 360 regarding the attacks