No fix until February for Internet Explorer zero-day being actively exploited in targeted attacks
Internet Explorer vulnerability found in the scripting engine that handles objects in memory
Microsoft has warned about an as-yet unpatched zero-day vulnerability in Internet Explorer (IE) that is being actively exploited by threat actors in targeted attacks.
Microsoft attributes the remote code execution (RCE) security flaw, indexed as CVE-2020-0674, to the way that the scripting engine handles objects in memory in IE.
The bug could enable an attacker to use the corrupted memory to remotely execute arbitrary code on a vulnerable system.
The main function of IE scripting engine is to handle execution of scripting languages, such as VBScript and JScript, Microsoft's Javascript clone.
This memory corruption vulnerability exists in the JScript component of the scripting engine, and any application that supports embedding IE or "its scripting engine component may be used as an attack vector for this vulnerability."
"An attacker who successfully exploited the vulnerability could gain the same user rights as the current user," Microsoft stated in its advisory.
If the user is logged on with admin rights, an attacker successfully exploiting the bug could take control of the targeted machine and nstall programmes and modify/delete data. They could also create new users accounts with administrative rights.
In a web-based attack scenario, attackers could use the vulnerability to trick users into opening malicious links sent to them through phishing emails and direct them to a specially-crafted website.
According to Microsoft, IE running on all supported versions of Windows are affected by the bug, including Windows 7, which officially reached end-of-life on 14th January 2020.
This is bad news for users as Microsoft has yet to release a security patch for the vulnerability, although IE now has a market share of under 10 per cent. Presently, the company is advising users to apply mitigations and workarounds to reduce the threat.
Microsoft also said that it was currently aware of only limited targeted attacks being launched by attackers by exploiting CVE-2020-0674.
The zero-day vulnerability is also thought to be similar to another vulnerability that hackers were exploiting in Firefox. The flaw was patched by Mozilla last week.
Both Mozilla and Microsoft credited China-based security research firm Qihoo 360 with uncovering the security flaws.