[German]A fix for the 0-day vulnerability CVE-2020-0674 in Internet Explorer’s JScript library, which was published a few days ago, has been released from 0patch today. Here is some information about what I have found so far – the article will be updated as new findings are made..
What is CVE-2020-0674 about?
Microsoft has issued advisory ADV200001 for a 0-day vulnerability (CVE-2020-0674 s reserved for this vulnerability) in Internet Explorer as of January 17, 2020. The vulnerability affects IE 9, 10, and 11 and affects virtually all versions of Windows (since Internet Explorer is included as a browser in those versions).
There is a memory corruption vulnerability in the scripting engine that is also used by Internet Explorer. When objects are executed by the Scripting Engine in Internet Explorer, memory overflows or corruption may occur. As a result, attackers can use prepared Web pages to corrupt IE’s memory in such a way that remote code can be infiltrated and executed.
However, an attacker who successfully exploited the vulnerability would only be granted the same user rights as the current user. However, if the current user is logged on with administrative user rights, the attacker has the opportunity to take control of an affected system. An attacker could then install programs, display, change, or delete data, or create new accounts with full user rights.
This is just a worst case scenario, which I reported about in the blog post Warning: 0-Day vulnerability in Internet Explorer (01/17/2020). There I also suggested the workaround suggested by Microsoft, but it causes some collateral damage.
- Windows Media Player can’t play MP4 files.
- The system file check sfc (Resource Checker) will choke on jscript.dll file, if the access rights are changed.
- Printing with “Microsoft Print to PDF” is broken.
- Automatic proxy configuration scripts (PAC scripts) may not work.
A bit heavy, but Microsoft does not intend to close this vulnerability in a timely manner with an unscheduled patch. It is rather planned to deliver an update for the supported Windows versions on February 2020 patchday. Whether Windows 7 SP1 and Windows Server 2008 R2 will receive a patch outside the ESU program is completely open.
0patch provides a fix
Was a ‘litmus test’ for me, how long it takes until 0patch releases something. I’m in contact with Mitja Kolsek, CEO of ACROS Security and co-founder of 0patch, because I’m also planning something about 0patch solutions for Windows 7 SP. Mitja Kolsek has just informed me via private Twitter message about the 0patch solution developed by his company.
Video of micropatch in action https://t.co/dL7qxdA9hg
— 0patch (@0patch) January 21, 2020
In the blog post Micropatching a Workaround for CVE-2020-0674, Mitja Kolsek describes the kill switch for the jscript.dll library vulnerability. His team has found a test case for loading jscript.dll described by Google’s Project Zero. They then used it to test this DLL for the vulnerability. It was then possible to develop a micropatch for the vulnerability. The 0patch developers have ported this micropatch to the following platforms, for 32-bit and 64-bit
Windows 10 v1709,
Windows 10 v1803,
Windows 10 v1809,
Windows Server 2008 R2,
Windows Server 2019
According to the provider, 0patch users have already downloaded this micropatch with the 0patch agent to all Windows systems that can go online and – depending on the settings – have already automatically applied it to all processes that use the Internet Explorer 11 engine to render content. This includes (of course) Internet Explorer, Microsoft Word, Microsoft Outlook and a variety of other applications. The YouTube video linked in the above tweet shows the application.
0patch agent and account required
To use the micropatch you need the 0patch agent, which can be downloaded free of charge from the opatch website and then installed on Windows. The installer and the agent require administrator rights to run.
The operation is done via the 0patch console, which can be called via the Windows start menu. To retrieve the micro patches in the 0patch console you need a user account from provider 0patch. For private use a free account is offered, which I have created with an e-mail address for testing purposes. At this level, free micro patches are applied. For companies requiring more patches, there are also business and enterprise account variants, that can be bought on a subscription base.
However, the JScript DLL patch listed here in the free account refers to a memory corruption vulnerability CVE-2019-1429 from November 2019 (I haven’t patched it on the test system yet because IE11 is not used). So the 0patch agent shows if unfixed vulnerabilities are present.
I found the micropatch for the current vulnerability CVE-2020-0674 (after a hint from Mitja Kolsek) under ‘Installed Patches’ under the numbers 402-404 for the mshtml.dll. Cool thing.