[German]Microsoft also released the KB4537767 cumulative security update for Internet Explorer on February 11, 2020. Here is some information about this update.
The vulnerability CVE-2020-0674 in IE
Cumulative security update KB4537767 for Internet Explorer patches the 0-day vulnerability CVE-2020-0674, which was reported in mid-January 2020. This vulnerability was discovered by Clément Lecigne of the Google Threat Analysis Group and Ella Yu of Qihoo 360.
There is a memory corruption vulnerability in the scripting engine used by Internet Explorer. When objects are executed by the Scripting Engine in Internet Explorer, memory overflows or corruption may occur. As a result, attackers can use prepared Web pages to corrupt IE’s memory in such a way that remote code can be infiltrated and executed.
I had reported in the blog post Warning: 0-Day vulnerability in Internet Explorer (01/17/2020). I also described the workaround, suggested by Microsoft, within this blog post. But the workaround causes some collateral damage, mentioned within my post.
Update KB4537767 for Internet Explorer
On 11 February 2020, Microsoft then released the cumulative security update KB4537767 for Internet Explorer. The update applies to the:
- Internet Explorer 11 at
- Windows Server 2012 R2,
- Windows Server 2012,
- Windows Server 2008 R2 SP1,
- Windows 8.1 Update and
- Windows 7 SP1
- Internet Explorer 10 at Windows Server 2012
- Internet Explorer 9 at Windows Server 2008 SP2
The security update is part of the monthly rollup updates for Windows 7 SP1 and Windows 8.1 and their server counterparts. In Windows 10, the security update for Internet Explorer is also delivered with the cumulative security update for the respective Windows version. If you install security-only updates for Windows 7 SP1 and Windows 8.1 and their server counterparts, you must take care of installing the update yourself.
- The cumulative security update KB4537767 for Internet Explorer 11 is available on Windows Server 2012 and in Windows Embedded 8 Standard via Windows Update.
- For other versions of Windows, the KB4537767 cumulative security update for Internet Explorer is available for manual download from the Microsoft Update Catalog for manual installation.
- In addition, the KB4537767 cumulative security update for Internet Explorer is available via WSUS for distribution in enterprise environments.
In this article, the colleagues from Bleeping Computer have prepared a table with the respective KB packages that contain updates for the respective Windows variant. However, note the notes in the support article for KB4537767 regarding the known issues and constraints associated with the update.
Important: Undo the mitigation workaround in IE
Anyone who has applied the workaround specified by Microsoft in mid-January 2020 to mitigate the 0-day vulnerability (see this Microsoft article about the 0-day vulnerability) must reverse this workaround before installing the update.
If you changed the permissions for JScript.dll to workaround the IE vulnerbility disclosed January, you need to undo it before applying security updates this month. If you don’t know what I’m talking about, carry on.. #MEMCM #SCCM https://t.co/TqUt6HU1Vo
— Julie Andreacola (@jandreacola) February 12, 2020
Microsoft employee Julie Andreacola points this out in the above tweet. Otherwise, problems with the update installation could occur.
Adobe Flash Player 220.127.116.110 released
Microsoft Office Patchday (February 4, 2020)
Microsoft Security Update Summary (February 11, 2020)
Patchday Windows 10-Updates (February 11, 2020)
Patchday: Updates for Windows 7/8.1/Server (Feb. 11, 2020)