[English]ACROS Security has released a micropatch for the vulnerabilityC VE-2020-1062 (Internet Explorer scripting engine memory corruption ) for Windows 7 and Server 2008 R2 (without ESU license). This is the second micropatch for the Internet Explorer scripting engine besides CVE-2020-1380.
The vulnerability CVE-2020-1062
CVE-2020-1062 was issued for a scripting engine memory corruption vulnerability in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. Microsoft writes about this:
A remote code execution vulnerability exists if Internet Explorer improperly accesses objects in memory. The vulnerability could damage memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited this could gain the same user rights as the current user. If the current user is logged on with administrative user rights, the attacker could take control of an affected system, install programs, view, modify, or delete data, or create new accounts with full user rights.
An attacker could host a specially crafted Web site to exploit the vulnerability through Internet Explorer, and then convince a user to view the Web site. The attacker could also exploit compromised Web sites or Web sites that accept or host user-provided content or advertising by adding specially crafted content that could exploit the vulnerability. In either case, however, an attacker would have no way to force a user to view content controlled by the attacker. Instead, an attacker would have to force a user to act, typically by enticing the user in an e-mail or instant message, or by getting the user to open an e-mail attachment.
Microsoft released a security update for Internet Explorer 11 on May 12, 2020 that closes the vulnerability in the scripting engine. The fix is included in the Rollup Update for Windows 7 SP1. However, users of Windows 7 SP1 and Windows Server 2008 R2 who do not have an ESU license will no longer receive the security updates released by Microsoft.
0patch-Fix for Windows 7 SP1/Server 2008 R2
ACROS Security has developed a micropatch for the CVE-2020-1062 vulnerability. I got the information about the release of the micropatch for Windows 7 SP1 and Windows Server 2008 R2 on Twitter. More information can be found in the thread of the above tweet.
This micropatch is now available for 0patch users with PRO license and is already applied to all online computers with 0patch Agent (except in non-standard enterprise configurations). As always, there is no need to restart the computer and users’ work is not interrupted.
The analysis of the bug can be found on the Accenture blog. A video on how the patch works can be found here. Hints on how the 0patch agent works, which loads the micro-patches into memory at runtime of an application, can be found in the blog posts (e.g. here), which I linked below.
Windows 7: Forcing February 2020 Security Updates – Part 1
Windows 7: Securing with the 0patch solution – Part 2
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2