Microsoft Plans Fix For Actively Exploited Internet Explorer Security Flaw
Microsoft has issued a security bulletin warning Internet Explorer users of a zero day vulnerability that is actively being exploited in the wild, and unfortunately there is no patch available at this time. Microsoft is working on a fix, though the company hinted it may not arrive until the next Patch Tuesday roll out, which is still three weeks away (February 11, 2020).
It's been a bit of a tough week for Microsoft, in terms of major vulnerabilities rearing their ugly heads. As part of last week's Patch Tuesday roll out, Microsoft issued a fix for a major Windows cryptographic security flaw discovered by the US National Security Agency (NSA). Incidentally, it was the first time the NSA reported a flaw to Microsoft (as opposed to exploiting itself in the name of national security).
As for this latest bug, it pertains to a remote code execution vulnerability in the way that the scripting engine in IE handles objects in memory. If exploited, an attacker could corrupt a system's memory in such a way that they could run arbitrary code in the context of the current user. So if a person is logged in as an administrator, a malicious actor could take full control of an affected system and carry out any number of nefarious deeds, such as installing malware, spy sensitive documents, delete files, create new accounts with full user rights, and so forth.
The initial attack would require a user visiting a specially crafted website with IE. One way to carry this out is through traditional phishing methods—send an email to a user and convince that person to visit the booby-trapped website. This could also be carried by tricking a user into viewing a specially crafted email attachment, PDF file, Office document, or any other file supporting embedded IE scripting engine content.
"Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers," Microsoft says.
That suggests a fix could be three weeks away (Patch Tuesday roll outs occur on the second Tuesday of each month). In the meantime, Microsoft told TechCrunch it is "aware of limited targeted attacks," though the company did not elaborate.
Fortunately, by default IE on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019 runs in a restricted mode known as Enhanced Security Configuration. This consists of a bunch of preconfigured settings that can reduce the likelihood of a user or admin downloading and running malicious web content on a server, Microsoft says.
For everyone else, if this is concern, Microsoft offered up a temporary workaround consisting of restricting access to JScript.dll. Instructions on how to do that (and how to later undo the workaround once a patch is released) can be found by mashing the link in the Via field below.