Threat Signal Report

CVE-2020-0674 Scripting Engine Memory Corruption Vulnerability

Description

Today's Microsoft Patch Tuesday release for February 11, 2020 contains (99) reported disclosures affecting almost as many product versions (due to the existence of multiple versions of the same product.) This month's release has one critical bug that has seen exploitation in the wild, CVE-2020-0674 which is a scripting engine memory corruption vulnerability in Internet Explorer. Although Internet Explorer has been deprecated back in 2016 potentially minimizing risk for users running older browsers (Internet Explorer 9/10) on older platforms by forcing them to upgrade; support for Internet Explorer 11 still exists for the time being even though Microsoft Edge was introduced in 2015.


What are the specifics of the vulnerability?

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.


What versions of software are affected?

Windows 10

Windows 7

Windows RT 8.1

Windows 8.1

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2016

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2019


Is this issue Internet Explorer specific?

Yes Internet Explorer 9, 10 and 11. Although the vulnerability was first reported to be in jscript.dll (the legacy engine for JavaScript code) and thought to also affect Microsoft Word and Outlook via interaction with Internet Explorer, these latest updates have addressed the vulnerability as well.


Have there been reports of in the wild exploitation?

Yes, Microsoft has observed in the wild attacks exploiting CVE-2020-0674. Attribution is unknown at this time.


Any suggestions or mitigations?

Fortiguard Labs suggests that customers running Internet Explorer apply this month's February 2020 updates when feasible. If not possible, it is recommended that those affected discontinue usage of affected versions for the time being and use an alternative browser until the patches can be applied.


What is the status of AV and IPS coverage?

Fortinet customers running the latest definitions set are currently protected against CVE-2020-0674 by our IPS signature:

MS.IE.Scripting.Engine.JScript.dll.Memory.Corruption

AV coverage is not feasible for this event.


References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674

Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.