Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/21/2020
05:00 PM
50%
50%

Microsoft, DHS Warn of Zero-Day Attack Targeting IE Users

Software firm is "aware of limited targeted attacks" exploiting a scripting issue vulnerability in Internet Explorer 9, 10, and 11 that previously has not been disclosed.

A targeted attack is targeting a previously unknown vulnerability in Internet Explorer to corrupt memory and exploit victims' Windows systems, Microsoft warned in an advisory published on January 17.

The flaw, described as a scripting engine memory corruption vulnerability and designated CVE-2020-0674, allows an attacker to take control of a Windows system by forcing it to use an older version of Microsoft's JavaScript that is only present for backward compatibility. By default, Internet Explorer does not use the vulnerable dynamic library, Microsoft stated.

"The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user," Microsoft stated in Advisory 200001. "An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system."

While the attack is serious, its impact is limited because Internet Explorer is only used by a limited number of users who want backward compatibility with older Microsoft technologies. Currently, only 2.3% of visitors use Internet Explorer 11, one of the vulnerable versions, according to W3counter.

The vulnerable library, <code>jscript.dll</code> is typically not used, so an attacker needs to control the website or have created a web page that is opened in a vulnerable browser.

"By convincing a user to view a specially crafted HTML document — [that is,] a web page [or] an email attachment — PDF file, Microsoft Office document, or any other document that supports embedded Internet Explorer scripting engine content, an attacker may be able to execute arbitrary code," Carnegie Mellon University's CERT Coordination Center stated in an advisory.

Companies that rely on Internet Explorer — a much smaller portion than a decade ago — should apply Microsoft's recommended workaround as soon as possible, says Casey Ellis, founder and chief technology officer of Bugcrowd.

"In the absence of a patch, having a workaround is crucial, and it's great that Microsoft provided alternatives to mitigate the risk to users," he says. "Since Google's Threat Analysis Group reported the vulnerability, it's unlikely that Chrome is affected by a similar bug and is safe to use."

The advice to use another browser is a more viable protection, mostly since other browsers are now much more popular than Microsoft Edge. Currently, only about 8% of web visitors use either Internet Explorer or, more likely, Microsoft Edge, according to W3Counter.

This is not the first time that Microsoft has had to scramble to contain attacks targeted its older scripting engines. If it seems like deja vu, it's because Microsoft patched a similar flaw in November. The issue, CVE-2019-1429, allowed attackers to corrupt the scripting engine's memory using a specially crafted website or an ActiveX control.

A year before that, another vulnerability, CVE-2018-8653, affected the scripting engine of Internet Explorer, allowing attackers to execute Visual Basic scripts or Microsoft's version of JavaScript.

Although Microsoft adopted a bug bounty to head off flaws, nation-state and criminal hackers continue to find ways to compromise systems, raising the question: If Microsoft's bug bounty did not convince the attacker to sell the vulnerability information to the software maker, are bug bounties effective?

Bugcrowd's Ellis defends the bounties because they raise the price of exploits and give ethical researchers another reason to disclose issues.

"This does not undermine bug bounties or crowdsourced security," he says. "The reality is that since the exploit has been used in limited targeted attacks, it is likely an offensive buyer paid more for it than Microsoft was offering or it was developed in-house for offensive use."

Ellis notes that Microsoft credited two organizations for finding the latest issue.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "With International Tensions Flaring, Cyber-Risk Is Heating Up for All Businesses."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.