Temporary patch issued to cover IE 11 security flaw being actively exploited in the wild
Third-party 'Micropatch' will provide protection for out-of-support Windows 7 and Windows Server 2008 r2 users
A temporary patch to protect the sub-10 per cent of Windows users still running Internet Explorer has been rushed out by a security company. The ‘micropatch' is intended to protect IE 11 users following reports that a security flaw is being actively targeted by hackers.
The free micropatch from ACROS Security essentially wraps up Microsoft's mitigations, published over the weekend, into a deployable form that consumers and organisations can roll-out to devices running Windows 7, Windows 10 version 1709, v1803 and v1809, Windows Server 2008r2 and Windows Server 2019.
However, the company claims that it should avoid the negative side-effects of Microsoft's proposed workaround to the security flaw, filed as CVE-2020-0674, which include breaking the functionality of several Windows applications and features.
The company produced the patch, partly because Microsoft decided that the security issue wasn't pressing enough to rush out a full patch - providing mitigation instructions instead - and partly because users of Windows and Windows Server 2008 r2 are no longer supported by Microsoft, and will probably not receive the patches that Microsoft is working on.
Those will be delivered to Windows 10 and Windows Server 2019 users in February's Patch Tuesday updates.
"The vulnerability is in jscript.dll, which is the scripting engine for legacy JScript code; note that all "non-legacy" JScript code (whatever that might be), and all JavaScript code gets executed by the newer scripting engine implemented in jscript9.dll," advised the ACROS Security 0Patch blog.
It continued: "Microsoft's workaround comprises setting permissions on jscript.dll such that nobody will be able to read it. This workaround has an expected negative side effect that if you're using a web application that employs legacy JScript (and can as such only be used with Internet Explorer), this application will no longer work in your browser."
The company claims that its patch can be quickly and easily reverted when Microsoft gets round to issuing its own.