Following Microsoft's epic software patch last week, a new critical Windows vulnerability has appeared: a "zero-day" flaw in Internet Explorer, currently being exploited by North Korean hackers, for which there is no fix so far.
Readers should stop using Internet Explorer on all versions of Windows. Microsoft's Edge browser is far superior and safer, as are Google Chrome and Mozilla Firefox.
If IE is absolutely necessary for a web application that will not work with other browsers, use IE only with a restricted user account that cannot change software. (Using a restricted account may be the most effective way to protect your PC.)
For the tech-savvy user, Microsoft has provided several mitigation scripts. Microsoft may not fix this problem until next month's Patch Tuesday, February 11. Some antivirus software makers may find a way to block this attack by then.
The new vulnerability appears to be related to a flaw in Firefox that Mozilla patched earlier this month, possibly from the same group of attackers; the Qihoo 360 researchers who discovered the Mozilla flaw initially tweeted that IE was also vulnerable but quickly deleted it.
In a blog post in Chinese, researchers identified the attack group as DarkHotel, a North Korean hacking group active since at least 2007 that specializes in tracking the movements of prominent business travelers.
In its public advisory, Microsoft said the vulnerability is being used for "limited targeted attacks," i.e., not against the public at large.
The IE flaw, cataloged as CVE-2020-0674, officially affects both IE 10 and IE 11 supported versions of the browser and Windows 10, Windows 8.1, and just retired with Service Pack 1 It affects all versions of Windows 7. Presumably, it also affects earlier deprecated versions of IE and Windows.
Microsoft quietly disclosed the vulnerability in an advisory late Friday (January 17) and updated it on Sunday (January 19).
The "vulnerability exists in the way Internet Explorer's scripting engine handles objects in memory" that can "remotely execute code," i.e., using the Internet. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user."
"If the current user has administrative privileges, an attacker could "install programs, view, modify, or delete data, or create new accounts with full user privileges.
"In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and persuade the user to visit that website, for example by sending an email The advisory added: "The Internet Explorer is a web site that is designed to exploit the Internet.
This vague description still coincides with Firefox's own zero-day flaw earlier this month. The flaw involved an error in the way the browser's just-in-time code compiler handled JavaScript, the scripting language that makes websites interactive.
The silver lining is that exploiting the Internet Explorer flaw requires an outdated direct linking library called jscript.dll. (A DLL is a bit of operating system code stored independently for use by multiple programs.)
In IE 10 and 11, this old DLL has been replaced by a new one called jscript9.dll, and jscript9.dll is not affected by this vulnerability. However, newer browsers can load jscript.dll if a website requires it, and the old DLL is still used by default in IE 9 and earlier on Windows 7.
Anyone familiar with the Windows command line can mitigate this vulnerability by running a few commands from an administrator account.
For 32-bit Windows, use these in succession:
takeown /f %windir%system32jscript.dll
cacls %windir%system32jscript.dll /E /P everyone:N
For 64-bit Windows, use these two and the following:
takeown /f %windir%syswow64jscript. dll
cacls %windir%syswow64jscript.dll /E /P everyone:N
If you need to undo these mitigations, on 32-bit Windows you can do so by:
cacls %windir%system32jscript.dll /E /R everyone
Users of 64-bit Windows need to do this as well:
cacls %windir%syswow64jscript.dll /E /R everyone
.
Comments