A new zero-day vulnerability discovered in Internet Explorer

Microsoft has issued a security advisory- ADV200001 yesterday against a new zero-day vulnerability discovered in the Internet Explorer and it is also being actively exploited in the wild by attackers. Affected versions include Internet Explorer 9, 10, and 11 in Windows 7, Windows 8.1, and Windows 10. The vulnerability is CVE-2020-0674, which is a remote code execution vulnerability and is triggered when the JScript.dll library is being triggered by the scripting engine while accessing the memory.

Breaking down CVE-2020-0674

Once this vulnerability CVE-2020-0674  is exploited, the attackers will be able to take control of the machines by executing arbitrary codes and gain exact access as the perceived user. If the user is logged in as the administrator, then the attacker will have complete access to the machines where he can add or remove users as per his wish, changes passwords, etc. 

Microsoft is already aware of this zero day being exploited in the wild and is working on a patch to fix this vulnerability. 

Mitigations

Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019 runs with Enhanced Security Configurations. This feature will not restrict a user or an administrator from running a crafted web content on the server, but it does apply only to the non trusted websites that have not been added to the Internet Explorer.

However, Microsoft has also given a workaround until the patch is made available.

Workaround

The solution is to restrict Script.dll from running, and this could resolve the zero day temporarily. 

For 32 bit system do the following in the command prompt,

takeown /f %windir%\system32\jscript.dll

cacls %windir%\system32\jscript.dll /E /P everyone:N

For 64 bit system do the following in the command prompt,

takeown /f %windir%\syswow64\jscript.dll

cacls %windir%\syswow64\jscript.dll /E /P everyone:N

takeown /f %windir%\system32\jscript.dll

cacls %windir%\system32\jscript.dll /E /P everyone:N

Impact of restricting Script.dll

Since we have restricted the usage of JScript.dll certain features or websites that may be using JScript.dll may not work properly. Please understand, only sites that utilizes Jscript as the scripting engine is being affected by this vulnerability. 

What is the permanent solution

Patch would be the permanent fix for this vulnerability, please revert the above mitigation before deploying the patch to the systems. 

Reverting the mitigation

For 32 bits system,

cacls %windir%\system32\jscript.dll /E /R everyone    

For 64 bits system,

cacls %windir%\system32\jscript.dll /E /R everyone    

cacls %windir%\syswow64\jscript.dll /E /R everyone

Remember patches are the only permanent remedies for zero-day vulnerabilities. Revert the mitigation and deploy the patches as soon as Microsoft releases it.