On January 17th, 2020, Microsoft disclosed a memory corruption vulnerability in Internet Explorer's Scripting Engine, noting it is actively being exploited in limited targeted attacks .
To successfully exploit this vulnerability, an attacker would be required to convince a victim to open a crafted HTML document or webpage via Internet Explorer. If exploited, an unauthenticated attacker could remotely execute malicious code in the context of the current user. It is recommended that organizations reduce their risk by discouraging use of Internet Explorer or by implementing the workarounds offered by Microsoft.
What we’re doing about it:
- Monitoring this topic for further developments.
- eSentire is actively evaluating detection methods for the exploitation of this vulnerability.
What you should do about it:
- Consider replacing Internet Explorer with alternative modern browsers such as Microsoft Edge, Mozilla Firefox or Google Chrome
- Technical workarounds are available from Microsoft .
- Customers are encouraged to asses the potential impact of implementing Microsoft’s workarounds prior to implementation.
- Current workarounds from Microsoft may cause issues for any websites or applications that relies on jscript.dll.
- esENDPOINT customers may request information on jscript.dll usage in their environment from the eSentire Security Operations Center.
This vulnerability (CVE-2020-0674) allows an unauthenticated attacker to execute arbitrary code remotely if they can convince a user to run the code. Malicious code can come packaged in any maliciously crafted web page or document compatible with Internet Explorer Scripting Engine, a default service on Windows devices .
To exploit this vulnerability the attacker would need to serve the victim malicious content via Internet Explorer. In one scenario the method of exploitation is via email, with the attacker serving malicious links or documents leading to the Scripting Engine exploit.
Currently, there is minimal technical information for this vulnerability. Microsoft has stated that there have been limited targeted attacks. At this time eSentire has not observed attacks exploiting this vulnerability, nor is there public information on the confirmed attacks.