Internet Explorer’s new day zero is still not fixed


You may want to implement a workaround or stop using the browser altogether, at least until Microsoft releases a fix.

UPDATE (February 12, 2020, 12:50 a.m. CET) – A patch for the vulnerability has been made available as part of Microsoft’s Patch Tuesday rollout in February 2020.

Microsoft has issued a security advisory alerting users to an unpatched vulnerability in its Internet Explorer (IE) web browser that is exploited in limited targeted attacks.

Zero-day, which is tracked as CVE-2020-0674, is a memory corruption issue in the browser’s script engine. Its exploitation could allow remote attackers to execute code of their choice on the compromised system.

The Remote Code Execution (RCE) security vulnerability affects versions 9, 10, and 11 of IE running on all supported Windows desktop and server versions, as well as Windows 7. The vulnerability can be exploited by attackers who attract you. to visit a malicious website through the browser, usually by sending an email. This could ultimately allow crooks to install programs, tamper with data, or create new accounts with full user rights on the affected system.

Already seen with a twist

If most of this sounds familiar to you, it’s for good reason. As late as September and November 2019, respectively, the company disclosed two more zero-days in the browser.

There is still an important difference. This time, no patch is available – for the moment anyway. Instead, it looks like the hotfix won’t be rolling out until the next patch on Tuesday, February 11.e.

“Microsoft is aware of this vulnerability and is working on a fix. Our standard policy is to release security updates on the Update Tuesday, the second Tuesday of each month, ”the tech giant said.

Apart from that, it is believed that the vulnerability may be related to another recently disclosed zero-day flaw – this time in the Firefox browser. Mozilla released a patch for this latest vulnerability earlier this month.

What to do?

The newly disclosed vulnerability can be mitigated by restricting access to the JavaScript component JScript.dll. Additionally, Microsoft has noted that the exploitation risk is lower on Windows Server, where Internet Explorer is, by default, locked down to protect against browser-based attacks. This restricted mode, called Enhanced Security Configuration, “can reduce the likelihood that a user or administrator will download and run specially crafted web content on a server,” Microsoft said.

Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued its own advisory, encouraging users and administrators to implement workarounds and switch to other browsers until ‘a patch is available.

Indeed, Microsoft’s own cybersecurity chief Chris Jackson said in 2019 that Internet Explorer is a “compatibility solution.” In other words, it often works for businesses that depend on it for compatibility with existing web applications. The browser may not be the best solution for your daily web browsing needs.

Just a few days ago, Microsoft launched its new Chromium-based Edge browser.


Comments are closed.