CVE-2020-0674 Scripting Engine Memory Corruption Vulnerability

Description

Today's Microsoft Patch Tuesday release for February 11, 2020 contains (99) reported disclosures affecting almost as many product versions (due to the existence of multiple versions of the same product.) This month's release has one critical bug that has seen exploitation in the wild, CVE-2020-0674 which is a scripting engine memory corruption vulnerability in Internet Explorer. Although Internet Explorer has been deprecated back in 2016 potentially minimizing risk for users running older browsers (Internet Explorer 9/10) on older platforms by forcing them to upgrade; support for Internet Explorer 11 still exists for the time being even though Microsoft Edge was introduced in 2015.

What are the specifics of the vulnerability?

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

What versions of software are affected?

Windows 10

Windows 7

Windows RT 8.1

Windows 8.1

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2016

Windows Server 2012 R2

Windows Server 2012

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2019

Is this issue Internet Explorer specific?

Yes Internet Explorer 9, 10 and 11. Although the vulnerability was first reported to be in jscript.dll (the legacy engine for JavaScript code) and thought to also affect Microsoft Word and Outlook via interaction with Internet Explorer, these latest updates have addressed the vulnerability as well.

Have there been reports of in the wild exploitation?

Yes, Microsoft has observed in the wild attacks exploiting CVE-2020-0674. Attribution is unknown at this time.

Any suggestions or mitigations?

Fortiguard Labs suggests that customers running Internet Explorer apply this month's February 2020 updates when feasible. If not possible, it is recommended that those affected discontinue usage of affected versions for the time being and use an alternative browser until the patches can be applied.

What is the status of AV and IPS coverage?

Fortinet customers running the latest definitions set are currently protected against CVE-2020-0674 by our IPS signature:

MS.IE.Scripting.Engine.JScript.dll.Memory.Corruption

AV coverage is not feasible for this event.

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674