Users may have moved past Internet Explorer onto newer alternatives, but hackers still think they can get something out of the old browser. US-CERT and Microsoft have put out security advisories about an Internet Explorer bug that’s being used by hackers in the wild.
It’s a memory corruption bug that exists in the way IE’s scripting engine handles memory and could allow a remote attacker to run arbitrary code on the target machine.
The job of the scripting engine is to handle the execution of VBScript and Jscript. Once on the machine, the hacker gets the same privileges as the current user. So, if the user is running an Administrator account, the hacker gets the power to install/uninstall apps.
CERT advisory warns that any application that can embed IE or the affected scripting engine can be used as an attack vector. Thus, a malicious actor can compromise devices by making the user open a specially crafted website that supports the embedded script engine content.
This comes after the security firm Qihoo 360 tweeted about an IE but deleted it later on. Apparently, Microsft’s advisory credits a researcher from the firm under the acknowledgments.
Microsoft has identified the memory corruption vulnerability as CVE-2020-0674 and said that it’s “aware of limited targeted attacks” being performed.
Right now, there is no security patch to fix the flaw, but if necessary, Microsoft says a possible workaround is to restrict access to the jscript.dll library (a defunct Jscript version released in 2009). However, the said bug doesn’t affect the newer jscript9.dll library that’s used by default in IE 11, IE10, and IE9.
The list of vulnerable systems includes all supported Windows versions, and also Windows 7 for which the extended support ended recently. It’s interesting to note that Microsoft’s advisory page lists a security patch for Windows 7 as well. Let’s wait to see whether the company delivers it or not.
While the company is working on a fix but it’s certainly not on the priority list. One shouldn’t expect it to arrive before the next Patch Tuesday update, which would be released on February 11.