TTCSIRT-288.022620: TT-CSIRT ADVISORY- MICROSOFT INTERNET EXPLORER SCRIPTING ENGINE MEMORY CORRUPTION VULNERABILITY.

TTCSIRT-288.022620: TT-CSIRT ADVISORY- MICROSOFT INTERNET EXPLORER SCRIPTING ENGINE MEMORY CORRUPTION VULNERABILITY.

The Microsoft Internet Explorer Scripting Engine contains a memory corruption vulnerability, which can allow a remote, unauthenticated attacker to execute arbitrary code.

 

Description

Microsoft Internet Explorer contains a scripting engine, which handles execution of scripting languages such as VBScript and JScript. The scripting engine JScript component contains an unspecified memory corruption vulnerability. Any application that supports embedding Internet Explorer or its scripting engine component may be used as an attack vector for this vulnerability.

 

This vulnerability was detected in exploits in the wild.

 

Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page an email attachment), PDF file, Microsoft Office document, or any other document that supports embedded Internet Explorer scripting engine content, an attacker may be able to execute arbitrary code.

 

Solution

Apply an update

 

This issue is addressed in the Microsoft update for CVE-2020-0674. Please also consider the following workaround:

 

Restrict access to jscript.dll

 

jscript.dll is a library that provides compatibility with a deprecated version of JScript that was released in 2009. Blocking access to this library can prevent exploitation of this and similar vulnerabilities that may be present in this old technology. When Internet Explorer is used to browse the modern web, jscript9.dll is used by default. Note, however, that any given website has the ability to opt in to using the legacy jscript.dll instead of the default.

 

From Security Advisory ADV200001:

 

For 32-bit systems, enter the following command at an administrative command prompt:

 

takeown /f %windir%\system32\jscript.dll

cacls %windir%\system32\jscript.dll /E /P everyone:N

 

For 64-bit systems, enter the following command at an administrative command prompt:

takeown /f %windir%\syswow64\jscript.dll

cacls %windir%\syswow64\jscript.dll /E /P everyone:N

takeown /f %windir%\system32\jscript.dll

cacls %windir%\system32\jscript.dll /E /P everyone:N

 

To revert the above changes:

 

For 32-bit systems, enter the following command at an administrative command prompt:

cacls %windir%\system32\jscript.dll /E /R everyone

 

For 64-bit systems, enter the following command at an administrative command prompt:

cacls %windir%\system32\jscript.dll /E /R everyone

cacls %windir%\syswow64\jscript.dll /E /R everyone

 

By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability. This vulnerability only affects certain websites that utilize jscript as the scripting engine.

 

 

References

 

 

The Trinidad and Tobago Cyber Security Incident Response Team (TTCSIRT) encourages users and administrators to review and apply the necessary updates.