{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2020-006.pdf"
    },
    "title": "Internet Explorer Zero-Day Vulnerability",
    "serial_number": "2020-006",
    "publish_date": "20-01-2020 13:01:00",
    "description": "Microsoft released an advisory notifying about a remote code execution (RCE) vulnerability existing in the scripting engine of Internet Explorer (IE). The vulnerability allows an attacker to corrupt the memory of the IE and execute code with the privileges of the current user. Currently, there is no patch for the reported vulnerability.",
    "url_title": "2020-006",
    "content_markdown": "---\ntitle: 'Internet Explorer Zero-Day\u00a0Vulnerability'\nversion: '1.0'\nnumber: '2020-006'\ndate: 'January 20, 2020'\n---\n\n_History:_\n\n* _20/01/2020 --- v1.0 -- Initial publication_\n\n# Summary\n\nMicrosoft released an advisory [1] notifying about a remote code execution (RCE) vulnerability existing in the scripting engine of Internet Explorer (IE). The vulnerability allows an attacker to corrupt the memory of the IE and execute code with the privileges of the current user. Currently, there is no patch for the reported vulnerability.\n\n# Technical Details\n\nMS IE Scripting Engine has a memory corruption vulnerability [1] that allows a remote attacker to launch an RCE attack [2]. The execution of the arbitrary code takes place under the session of the current user of the browser. Under certain circumstances the attack can result in a **full system compromise**.\n\nThe vulnerability lays in `JScript.dll` and not in `JScript9.dll`. This vulnerability only affects certain websites that utilize `JScript` as the scripting engine.\n\nThe vulnerability is registered as CVE-2020-0674 [3].\n\n# Affected Products\n\nThe vulnerability exists in MS Internet Explorer versions 9/10/11 [1].\n\n# Recommendations\n\nNo patch is currently available. Please monitor the topic and update as soon as a patch becomes available.\n\nIn order to restrict access to `JScript.dll` the following commands can be applied [1]:\n\n* 32-bit systems, execute the following commands with administrator privileges:\n\n```\n\ttakeown /f %windir%\\system32\\jscript.dll\n\tcacls %windir%\\system32\\jscript.dll /E /P everyone:N\n```\n\n* 64-bit systems, execute the following commands with administrator privileges:\n\n```\n\ttakeown /f %windir%\\syswow64\\jscript.dll\n\tcacls %windir%\\syswow64\\jscript.dll /E /P everyone:N\n\ttakeown /f %windir%\\system32\\jscript.dll\n\tcacls %windir%\\system32\\jscript.dll /E /P everyone:N\n```\n\nThese steps might affect the normal functionality of a system and are not resolving the issue, only reduce the possibility of exploitation. Before applying an update, please follow the instructions on the Microsoft Advisory [1] for reverting the access restriction.\n\nIE on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server. This is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone [1].\n\n# References\n\n[1] <https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001>\n\n[2] <https://en.wikipedia.org/wiki/Arbitrary_code_execution>\n\n[3] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0674>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>20/01/2020 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>Microsoft released an advisory [1] notifying about a remote code execution (RCE) vulnerability existing in the scripting engine of Internet Explorer (IE). The vulnerability allows an attacker to corrupt the memory of the IE and execute code with the privileges of the current user. Currently, there is no patch for the reported vulnerability.</p><h2 id=\"technical-details\">Technical Details</h2><p>MS IE Scripting Engine has a memory corruption vulnerability [1] that allows a remote attacker to launch an RCE attack [2]. The execution of the arbitrary code takes place under the session of the current user of the browser. Under certain circumstances the attack can result in a <strong>full system compromise</strong>.</p><p>The vulnerability lays in <code>JScript.dll</code> and not in <code>JScript9.dll</code>. This vulnerability only affects certain websites that utilize <code>JScript</code> as the scripting engine.</p><p>The vulnerability is registered as CVE-2020-0674 [3].</p><h2 id=\"affected-products\">Affected Products</h2><p>The vulnerability exists in MS Internet Explorer versions 9/10/11 [1].</p><h2 id=\"recommendations\">Recommendations</h2><p>No patch is currently available. Please monitor the topic and update as soon as a patch becomes available.</p><p>In order to restrict access to <code>JScript.dll</code> the following commands can be applied [1]:</p><ul><li>32-bit systems, execute the following commands with administrator privileges:</li></ul><pre><code>takeown /f %windir%\\system32\\jscript.dll\n    cacls %windir%\\system32\\jscript.dll /E /P everyone:N\n</code></pre><ul><li>64-bit systems, execute the following commands with administrator privileges:</li></ul><pre><code>takeown /f %windir%\\syswow64\\jscript.dll\n    cacls %windir%\\syswow64\\jscript.dll /E /P everyone:N\n    takeown /f %windir%\\system32\\jscript.dll\n    cacls %windir%\\system32\\jscript.dll /E /P everyone:N\n</code></pre><p>These steps might affect the normal functionality of a system and are not resolving the issue, only reduce the possibility of exploitation. Before applying an update, please follow the instructions on the Microsoft Advisory [1] for reverting the access restriction.</p><p>IE on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 runs in a restricted mode that is known as Enhanced Security Configuration. Enhanced Security Configuration is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server. This is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone [1].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001\">https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://en.wikipedia.org/wiki/Arbitrary_code_execution\">https://en.wikipedia.org/wiki/Arbitrary_code_execution</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0674\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0674</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}