Serviceteam IT Security News

You may want to implement a workaround or stop using the browser altogether, at least until Microsoft issues a a fix

Microsoft has released a security advisory alerting users to an as-yet unpatched vulnerability in its Internet Explorer (IE) web browser that is being exploited in limited targeted attacks.

The zero-day, which is tracked as CVE-2020-0674, is a memory corruption issue in the browser’s scripting engine. Its exploitation could enable remote attackers to run code of their choice on the compromised system.

The remote-code execution (RCE) security hole affects IE versions 9, 10 and 11 running on all supported Windows desktop and server versions, as well as the no-longer-supported Windows 7. The vulnerability can be exploited by attackers who lure you to visit a malicious website via the browser, typically by sending an email. It could ultimately enable crooks to install programs, tamper with data or set up new accounts with full user rights on the affected system.

Déjà vu with a twist

If most of this sounds familiar, it is for good reason. As recently as September and November 2019, respectively, the company disclosed two other zero-days in the browser.

There is an important difference, though. This time no patch is available – for the time being, anyway. Instead, it appears that the fix will not be rolled out until the next Patch Tuesday, February 11th.

“Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month,” said the tech giant.

Other than that, it is thought that the vulnerability may be related to another recently-disclosed zero-day flaw – this time in the Firefox browser. Mozilla released a patch for the latter vulnerability earlier this month.

What to do?

The newly-disclosed flaw can be mitigated by restricting access to the JavaScript component JScript.dll. Also, Microsoft noted that the risk of exploitation is lower on Windows Server, where Internet Explorer is, by default, locked down to protect against browser-based attacks. This restricted mode, called Enhanced Security Configuration, “can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server”, said Microsoft.

Meanwhile, the United States’ Cybersecurity and Infrastructure Security Agency (CISA) released its own advisory, encouraging users and admins to implement workarounds and switch to other browsers until a patch is available.

Indeed, Microsoft’s own cybersecurity chief Chris Jackson said back in 2019 that Internet Explorer is a “compatibility solution”. In other words, it often works for businesses that are reliant on it for the sake of compatibility with legacy web apps. The browser may not be the best solution for your daily web browsing needs.

Just days ago, Microsoft launched its new Chromium-based Edge browser.

Source: HERE

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!