Alert: There’s a new zero-day RCE on Windows Internet Explorer, CVE-2020-0674, with no available patches out there yet. Not only that, as of now (1/20/20) this vulnerability cannot be scanned by VA tools. This vulnerability is highly dangerous and is reported to have been exploited in the wild. Therefore, security teams must act fast.
As Microsoft claimed, in a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
How to Remediate
While there is no patch currently available to remediate this vulnerability, Microsoft have released a security advisory that contains a workaround that could mitigate the threat until a patch becomes available:
Restrict access to JScript.dll
For 32-bit systems, enter the following command at an administrative command prompt:
| takeown /f %windir%system32jscript.dll cacls %windir%system32jscript.dll /E /P everyone:N |
For 64-bit systems, enter the following command at an administrative command prompt:
| takeown /f %windir%syswow64jscript.dll cacls %windir%syswow64jscript.dll /E /P everyone:N takeown /f %windir%system32jscript.dll cacls %windir%system32jscript.dll /E /P everyone:N |
Undoing the workaround (if necessary):
For 32-bit systems, enter the following command at an administrative command prompt:
| cacls %windir%system32jscript.dll /E /R everyone |
For 64-bit systems, enter the following command at an administrative command prompt:
| cacls %windir%system32jscript.dll /E /R everyone cacls %windir%syswow64jscript.dll /E /R everyone |
Vulcan’s Remediation Playbook for CVE-2020-0674
In order to mitigate multiple assets automatically, we’ve generated a PowerShell script capable of automatically running the mitigating control on the target system. The script will automatically determine if the operating system is 64 or 32 bit and will apply the mitigation accordingly.
To mitigate, run the following script:
| PS C: > ./CVE2020-mitigation.ps1 |
To undo:
| PS C: > ./CVE2020-mitigation.ps1 -undo $True |
Deployment Recommendation:
You can deploy the PowerShell mitigation easily with tools like SCCM, Intune and more or even by running it via logon script.
Impact of Workaround
Implementing these steps might result in reduced functionality for components or features that rely on jscript.dll. To be fully protected, Microsoft recommends the update be installed as soon as possible. Please revert the mitigation steps before installing the update to return to a full state.
By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability. This vulnerability only affects certain websites that utilize jscript as the scripting engine.
Alternative Unofficial Workaround:
Block the use of Internet Explorer and Edge via GPO or Deny connections with Windows defender firewall.
To learn more about Vulcan Cyber, speak with one of our experts
