[German]Microsoft has issued a security advisory for a 0-day vulnerability in Internet Explorer as of January 17, 2020, which affects virtually all versions of Windows (because Internet Explorer is the browser that is present in those versions). There is an issue in the JScript part that could be exploited to remotely execute code. Here is some information, including how to work around it.
Internet Explorer 0-Day vulnerability
On January 17, 2021, Microsoft issued a security warning about a zero-day vulnerability in Internet Explorer for which no patch is available. According to Catalin Cimpanu, the Chinese security provider Qihoo 360 had briefly tweeted this on Twitter last week, but deleted the tweet again. Here is the security message from Microsoft:
Title: Microsoft Security Advisory Notification
Issued: January 17, 2020
Security Advisories Released or Updated on January 17, 2020
* Microsoft Security Advisory ADV200001
– ADV200001 | Microsoft Guidance on Scripting Engine Memory Corruption Vulnerability
– Reason for Revision: Information published.
– Originally posted: January 17, 2020
– Updated: N/A
– Version: 1.0
There is a memory corruption vulnerability in the scripting engine that is also used by Internet Explorer.
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
When objects are executed by the Scripting Engine in Internet Explorer, a memory corruption may occur.
RCE code execution possible
The vulnerability could cause memory corruption that could allow an attacker to execute arbitrary code in the context of the current user. This vulnerability could allow remote code execution (RCE).
However, an attacker who successfully exploited the vulnerability could be granted only the same user rights as the current user. However, if the current user is logged on with administrative user rights, the attacker is given the opportunity to possibly take control of an affected system. An attacker could then install programs, display, change, or delete data, or create new accounts with full user rights.
The issue is that in a Web-based attack scenario, an attacker could host a specially crafted Web site that exploits the vulnerability by using Internet Explorer. The attacker could then try to trick a user into viewing the Web site (for example, by sending an e-mail that contains a link to the Web site).
Critical, but manageable
Microsoft classifies the vulnerability, which exists in all supported Windows systems, as critical. However, by default, Internet Explorer runs in Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019 in a restricted mode that is called Advanced Security Configuration.
This security configuration uses a set of preconfigured settings in Internet Explorer that can reduce the likelihood that a user or administrator will download and run specially crafted Web content on a server. This is a mitigating factor for websites that you have not added to the Trusted Sites zone in Internet Explorer.
Workaround: disable JScript.dll if necessary
As a workaround, Microsoft suggests disabling access to the JScript.dll. For 32-bit systems, run the following commands in an administrative prompt.
takeown /f %windir%\system32\jscript.dll cacls %windir%\system32\jscript.dll /E /P everyone:N
For 64-bit systems, execute the following commands in an administrative prompt.
takeown /f %windir%\syswow64\jscript.dll cacls %windir%\syswow64\jscript.dll /E /P everyone:N takeown /f %windir%\system32\jscript.dll cacls %windir%\system32\jscript.dll /E /P everyone:N
Note: The commands shown above are for an English Windows. In localized Windows editions, you need to exchange ‘everyone’ to the localized groupe name value. In my German Windows I need to exchange it to ‘jeder’. Create a backup before using the workaround from Microsoft and read also the remarks below about collateral damages.
As a result, access to the jscript.dll is blocked for every user and the vulnerability can no longer be exploited. The implementation of these steps results in reduced functionality for components or features that rely on jscript.dll. If you encounter problems that cause applications to stop running, the article contains instructions for releasing the DLL.
By default IE11, IE10 and IE9 use the Jscript9.dll file, which is not affected by this vulnerability. This vulnerability affects only certain Web sites that use Jscript as their script engine. For more details, see Microsoft’s ADV200001 article.
Adddenum: You at your own risk
The above workaround from Microsoft has a number of collateral damages – everything that JScript (and the library) needs will no longer work. For example, there is a feedback from a blog reader that the login to Microsoft online accounts in IE no longer works. And the following tweet indicates that Bitlocker Recovery is causing issues.
— Manfred Martin (@freddyz2001) January 19, 2020
I have now issues with Firefox (portable version in Windows 7). The browser launches, but can’t display any web page – even the settings page won’t open anymore. Don’t know, if it’s related to the workaround (using other profiles, omitting add-ins etc. doesn’t help, but FF works in Tor bunde).
Cookies helps to fund this blog: Cookie settings