CVE-2020-0674: Internet Explorer jscript.dll Scripting Engine Memory Corruption Vulnerability

On January 17th 2020, Microsoft issued a security advisory about the vulnerability CVE-2020-0674 affecting Microsoft Internet Explorer. This vulnerability allows an attacker to execute malicious code remotely on a system running Internet Explorer. The vulnerability is located in jscript.dll component, the old Internet Explorer JavaScript engine. However, attacks could force Internet Explorer to fallback to this vulnerable engine instead of the most recent one, Jscript9.dll.

This vulnerability seems very similar to previous vulnerabilities CVE-2018-8653 and CVE-2019-0609, affecting that same component.

Even though there are currently no public code samples available, different sources indicate that this vulnerability is already being exploited in the wild while Microsoft has not published any security fix yet.

An attack exploiting this vulnerability would take place when a vulnerable system accesses a website. This website can be a legitimate one that the attackers have compromised. Attackers can also convince the user to go to a website crafted specifically for that purpose, for instance by making the user click on a link in an e-mail.
Stormshield Endpoint Security delivers effective proactive protection against this threat if the following recommendations have been applied, by blocking attempts to exploit the vulnerability on the workstation.

Stormshield Endpoint Security – Block this threat

Protections against exploitation of memory corruption vulnerabilities

Based on attack samples that exploited similar vulnerabilities in the past (CVE-2018-8653 and CVE-2019-0609), we advise to enable Stormshield Endpoint Security RCP (Ret-Lib-C Protection) and HPP (HoneyPot Protection).

These protections are enabled by default as soon as protection against memory overflow is enabled (see SES Administration guide, page 141).

Block access to jscript.dll

Besides, as the vulnerability affects jscript.dll, you can create an applicative rule to deny any access to that component.

According to Microsoft, Internet Explorer IE11, IE10 and IE9 use by default the new Jscript9.dll engine that is not impacted by this vulnerability, instead of the vulnerable jscript.dll engine.

The application of this rule will not affect these browsers, except when accessing some websites requiring specifically the usage of the old jscript.dll engine and that will not work anymore in these browsers after applying this recommendation.

In case a user would face troubles browsing a specific website after applying this recommendation, you can look for the following alert in Stormshield Endpoint Security logs in order to understand if this new rule is in cause:

Other recommendations

Workaround solution from Microsoft

Microsoft official recommendation consists in restricting access to the vulnerable jscript.dll component.

This can be done using Windows Command Prompt (open as administrator):

1. For Windows 32 bits operating systems:

cacls %windir%system32jscript.dll /E /P everyone:N

2. For Windows 64 bits operating systems:

cacls %windir%system32jscript.dll /E /P everyone:N
cacls %windir%syswow64jscript.dll /E /P everyone:N

Functional impact of this recommendation:According to Microsoft, Internet Explorer IE11, IE10 and IE9 use by default the new Jscript9.dll engine that is not impacted by this vulnerability, instead of the vulnerable jscript.dll engine.

The application of this rule will not affect these browsers, except when accessing some websites requiring specifically the usage of the old jscript.dll engine and that will not work anymore in these browsers after applying this recommendation.

How to tell if you have been infected

There is currently no known indicator of compromise that would allow detecting if you have been impacted by an attack exploiting this vulnerability.

Share on

At the start of the year 2019, Microsoft warned Internet users that using Internet Explorer posed risks: the browser is no longer updated and security flaws are accumulating. So are there still long-standing users of IE?

About the author

mm
Julien Paffumi
Product Management Leader, Stormshield

Julien made his first foray into Arkoon’s R&D as a quality engineer. He then directly trained administrators and acquired broad knowledge of their needs – an invaluable experience for his next role as Product Manager of Arkoon Fast360 firewalls, and then of the Stormshield Management Center centralised administration console. Eager to share what he has learned, Julien now works in continuous improvement for Product Management at Stormshield as a Product Management Leader. This cross-cutting role also feeds his never-ending curiosity thanks to its broader approach to Stormshield solutions.