Microsoft Zero-Day Actively Exploited, Patch Forthcoming

An unpatched remote code-execution vulnerability in Internet Explorer is being actively exploited in the wild, Microsoft has announced. It’s working on a patch. In the meantime, workarounds are available.

The bug (CVE-2020-0674) which is listed as critical in severity for IE 11, and moderate for IE 9 and IE 10, exists in the way that the jscript.dll scripting engine handles objects in memory in the browser, according to Microsoft’s advisory, issued Friday.

The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user – meaning that an adversary could gain the same user rights as the current user.

“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system,” Microsoft explained. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

An attack could be carried out using a malicious website designed to exploit the vulnerability through IE, the advisory noted. Threat actors could lure victims to the site by sending an email, through watering-hole techniques, via malicious documents containing a web link and other social-engineering efforts.

There is a workaround available from Microsoft, as well as a micropatch from 0patch, released on Tuesday.

Darkhotel APT Active Attacks

The in-the-wild attacks are likely the work of the Asian APT known as Darkhotel, according to the researchers at Qihoo 360 who found the bug.

“The impact [could be] no less than the damage caused by the previous WannaCry ransomware virus,” the security firm said in a Chinese-language web advisory. “At present, it is judged from the details and characteristics of the captured attacks that the zero-day vulnerability of IE browser is suspected to have come from the Peninsula’s APT organization, Darkhotel.”

Darkhotel was first identified in 2014 by Kaspersky researchers, who said the group had been active since at least 2007. The group is known for targeting diplomats and corporate executives via Wi-Fi networks at luxury hotels – but it has widened its targeting over the years, while continuing to leverage zero-day vulnerabilities and exploits.

In this case, Darkhotel is using Office documents for targeted attacks, according to Qihoo 360.

“The attacker’s in-field exploitation embeds the vulnerability in an Office document, and users will be successful when they open an Office document or browse the web,” the firm warned. “Once the user opens the malicious document carrying the vulnerability, he will browse the malicious webpage and execute the attack program. The user is not even aware that the device has been controlled. The attacker can take the opportunity to implant ransomware, monitor and monitor, and steal sensitive information And so on.”

Patch and Workaround

While Microsoft is aware of “limited targeted attacks,” a patch won’t be released until next month’s Patch Tuesday, according to the computing giant.

“Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers,” it said.

One of the reasons the sense of urgency may be less than one would expect with a zero-day is the fact that all supported versions of IE in their default configuration use Jscrip9.dll as their scripting engine, which is not vulnerable to the flaw. However, the issue affects versions of IE being used in Windows 7, which reached end-of-life last week and therefore no longer supported. Qihoo 360 warned that this install base in particular is at risk.

For those that do use jscript.dll, Microsoft detailed a workaround that involves using administrative commands to restrict access to the scripting library. It’s not ideal however: It could result in reduced functionality for components or features that rely on jscript.dll.

“For example, depending on the environment, this could include client configurations that leverage proxy automatic configuration scripts (PAC scripts),” Microsoft said. “These features and others may be impacted.”

Also, users will need to revert this workaround in order to install any future patches or updates.

The team at 0patch has meanwhile released micropatch this week that implements the workaround while addressing some of the downsides.

> We are planning to issue a micropatch for CVE-2020-0674 next week which will prevent Internet Explorer from loading jscript.dll, effectively implementing Microsoft’s workaround but without some unwanted side effects such as breaking the sfc command.
(cont)
>
> — 0patch (@0patch) January 19, 2020

“Because the provided workaround has multiple negative side effects, and because it is likely that Windows 7 and Windows Server 2008 R2 users without Extended Security Updates will not get the patch at all (their support ended this month), we decided to provide a micropatch that simulates the workaround without its negative side effects,” the company said in a blog. “Microsoft’s workaround comprises setting permissions on jscript.dll such that nobody will be able to read it. This workaround has an expected negative side effect that if you’re using a web application that employs legacy JScript (and can as such only be used with Internet Explorer), this application will no longer work in your browser.”

According to 0patch, other negative side effects of the workaround that the micropatch avoids are:

• Windows Media Player is reported to break on playing MP4 files.
• The sfc (Resource Checker), a tool that scans the integrity of all protected system files and replaces incorrect versions with correct Microsoft versions, chokes on jscript.dll with altered permissions.
• Printing to “Microsoft Print to PDF” is reported to break.
• Proxy automatic configuration scripts (PAC scripts) may not work.

_Concerned about mobile security? _Check out our free Threatpost webinar,_Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. _Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from_Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. _Click here to register.