Number: AL20-004
Date: 20 January 2020
AUDIENCE
========
This Alert is intended for IT professionals and managers of notified organizations. Recipients of this information may redistribute it within their respective organizations.
PURPOSE
=======
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
OVERVIEW
========
On 17 January 2020 Microsoft released a security bulletin detailing a critical, remotely-exploitable vulnerability in Internet Explorer 9, 10 and 11. The vulnerability may allow an actor to execute arbitrary code in the context of the current user.
Microsoft has assigned CVE-2020-0674 to this vulnerability and stated they are working on a fix to be released as part of their February 2020 patch cycle.
Microsoft has stated this unpatched vulnerability is actively being abused to compromise exposed systems.
DETAILS
=======
The Cyber Centre is aware that a previously unknown, unpatched Internet Explorer vulnerability is actively being used to compromise vulnerable systems. Internet Explorer 9 through 11 on Microsoft Windows 7 through 10 and on Server 2008 through Server 2016 are all affected.
This critical, remotely-exploitable vulnerability in the way the Internet Explorer scripting engine handles objects in memory may corrupt memory in such a way that an actor could execute arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, this may lead to installation of programs; viewing, modifying, or deletion of data; or creation of new accounts with full user rights.
In a web-based exploitation scenario, an actor could host a specially crafted website designed to exploit this vulnerability and then convince a user to view the website by sending an email with an embedded link.
As patches for this vulnerability are not yet available, the Cyber Centre recommends that system owners refer to the Mitigation section of this Alert to protect their networks.
MITIGATION
==========
The Cyber Centre recommends that until the security patches are released, system owners should apply the mitigation steps to restrict access to jscript.dll as recommended by Microsoft. Note that implementing this might result in reduced functionality for components or features that rely on jscript.dll. These recommended workarounds are detailed on the Microsoft website:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001
Note: jscript.dll is a library that provides compatibility with a deprecated version of JScript that was released in 2009. Blocking access to this library can prevent exploitation of this and similar vulnerabilities that may be present in this old technology. When Internet Explorer is used to browse the modern web, jscript9.dll is used by default.
The Cyber Centre further recommends that system owners apply the relevant patches once they are available from Microsoft in mid-February.
REFERENCES
==========
17 January 2020 notice on the Microsoft website: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001
NOTE TO READERS
===============
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.