0patch Mitigation for CVE-2020-0674 in Windows 10 V190x

[German]ACROS Security has ported its micropatch for the CVE-2020-0674 vulnerability in Internet Explorer to Windows 10. In addition, a test page has been set up where users can test whether the micropatch has closed the CVE-2020-0674 vulnerability in Internet Explorer.


The Internet Explorer vulnerability CVE-2020-0674

Microsoft has issued advisory ADV200001  on a 0-day vulnerability (CVE-2020-0674) in Internet Explorer on January 17, 2020. A memory corruption vulnerability exists in the scripting engine that is also used by Internet Explorer. When objects are executed by the Scripting Engine in Internet Explorer, memory overflows or corruption may occur. As a result, attackers can use prepared Web pages to corrupt IE's memory in such a way that remote code can be infiltrated and executed.

An attacker who successfully exploited the vulnerability would only be granted the same user rights as the current user. However, if the current user is logged on with administrative user rights, the attacker has the option of taking control of an affected system. An attacker could then install programs, display, change, or delete data, or create new accounts with full user rights. The vulnerability affects IE 9, 10, and 11, and affects virtually all versions of Windows (since Internet Explorer is included as a browser).

Windows 10 Bugs in February Update prevents patch

Microsoft has closed the vulnerability as of February 11, 2020, with the Internet Explorer security update KB4537767 for Windows 7/8.1 and various cumulative updates for Windows 10 (see also Internet Explorer Security Update KB4537767 (Feb. 2020) and Patchday Windows 10-Updates (February 11, 2020)).

However, some users cannot install the February 2020 cumulative update on Windows 10 V1903 and 1909. This is because the update causes users to be logged on with a temporary user profile. The system can no longer be used afterwards. If you cannot solve this problem, you have to block the security update – it is therefore protected when using Internet Explorer.

0patch solution for affected Windows 10 users

The vendor Acros Security had already released an 0patch solution to close the CVE-2020-0674 vulnerability before Microsoft released the security update. After reporting the problem of user profiles in conjunction with the cumulative updates for Windows 10 version 1903/1909, Acros Security responded.


0patch has ported the micropatch for the CVE-2020-0674 vulnerability for Windows 10 version 1903 and version 1909. Windows 10 users who do not want to install a cumulative update of the above issues can put it on hold. Instead of the Microsoft update the micropatch is available for all 0patch subscribers (also Free subscription) to close the vulnerability. I reported about the patch for Windows 7 in the blog post 0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674.

If Windows Servers are affected by the above issue: Kaspersky states on this page that they are protected by Kaspersky Security 10.x against the CVE-2020-0674 vulnerability.

0patch has set up an IE test page

To test whether Internet Explorer on a system is protected by the 0patch micropatch, people have set up a test page.

If this is called up in Internet Explorer 11 under one of the mentioned operating systems, a display is shown with the information whether the browser is protected.

0patch Test for CVE-2020-0674

In the figure above, the test page reports that the micropatch is not present – which is correct. However, I installed the IE 11 security update from February 11, 2020 on the machine – so it is protected.

Additional Informationen about the IE 11 Test

After writing the article (it was night here in Europe) I asked Mitja Kolsek what they were testing and why the IE 11 with ESU patch came back with the result shown above. Here is his answer:

Our test page executes a sort(sortfunction) function on an array [2,1,3] and checks the result: if the result is [3,2,1] then the sortfunction was used, which means our micropatch (which blocks this functionality) was not in place. If the result is [1,2,3], our micropatch did its job and prevented the use of sortfunction.

However, if you have February 2020 updates applied, it's safe to allow sort(sortfunction) to execute and our micropatch doesn't get applied.

This is explained in the text of the test page and we also added "(unless you visited this page on Windows with February 2020 or later updates applied)" to the "You're vulnerable" message to avoid confusion. I hope this clears it up?

Thanks, Mitja

Sounds logical and is logical. And in an addendum, he writes:

If we wanted to create a generic online test for CVE-2020-0674, we'd have to publish a POC (which would crash a vulnerable browser, but not a not-vulnerable one), but that would also help attackers and we want them to have to do the extra work. We have no ideas on how to make a generic test without effectively publishing a POC.

That too is logical for me and very easy to understand.

Similar articles
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
Internet Explorer Security Update KB4537767 (Feb. 2020)
Microsoft Security Update Summary (February 11, 2020)
Patchday Windows 10-Updates (February 11, 2020)
Patchday: Updates for Windows 7/8.1/Server (Feb. 11, 2020)

Cookies helps to fund this blog: Cookie settings

This entry was posted in browser, Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *