Get a demo
Voyager18 (research)

Remediate Windows Vulnerability CVE-2020-0674

Rhett | January 20, 2020

Alert: There’s a new zero-day RCE on Windows Internet Explorer, CVE-2020-0674, with no available patches out there yet. Not only that, as of now (1/20/20) this vulnerability cannot be scanned by VA tools. This vulnerability is highly dangerous and is reported to have been exploited in the wild. Therefore, security teams must act fast.

As Microsoft claimed, in a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email. 

How to Remediate

While there is no patch currently available to remediate this vulnerability, Microsoft have released a security advisory that contains a workaround that could mitigate the threat until a patch becomes available:

Restrict access to JScript.dll 

For 32-bit systems, enter the following command at an administrative command prompt: 

takeown /f %windir%system32jscript.dll    

cacls %windir%system32jscript.dll /E /P everyone:N

 

For 64-bit systems, enter the following command at an administrative command prompt: 

takeown /f %windir%syswow64jscript.dll    

cacls %windir%syswow64jscript.dll /E /P everyone:N    

takeown /f %windir%system32jscript.dll    

cacls %windir%system32jscript.dll /E /P everyone:N

 

Undoing the workaround (if necessary):

For 32-bit systems, enter the following command at an administrative command prompt: 

cacls %windir%system32jscript.dll /E /R everyone

 

For 64-bit systems, enter the following command at an administrative command prompt: 

cacls %windir%system32jscript.dll /E /R everyone        

cacls %windir%syswow64jscript.dll /E /R everyone 

 

Vulcan’s Remediation Playbook for CVE-2020-0674

In order to mitigate multiple assets automatically, we’ve generated a PowerShell script capable of automatically running the mitigating control on the target system. The script will automatically determine if the operating system is 64 or 32 bit and will apply the mitigation accordingly.

Download the script here

To mitigate, run the following script: 

PS C: > ./CVE2020-mitigation.ps1

 

To undo:

PS C: > ./CVE2020-mitigation.ps1 -undo $True 

 

Deployment Recommendation: 

You can deploy the PowerShell mitigation easily with tools like SCCM, Intune and more or even by running it via logon script. 

Impact of Workaround 

Implementing these steps might result in reduced functionality for components or features that rely on jscript.dll. To be fully protected, Microsoft recommends the update be installed as soon as possible. Please revert the mitigation steps before installing the update to return to a full state. 

By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability. This vulnerability only affects certain websites that utilize jscript as the scripting engine.  

Alternative Unofficial Workaround: 

Block the use of Internet Explorer and Edge via GPO or Deny connections with Windows defender firewall. 

To learn more about Vulcan Cyber, speak with one of our experts

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy

strip-img-2.png

Get rid of silos;

Start owning exposure risk

Test drive the leader in exposure risk management