Request a Demo

Automating Response for New Zero-Day RCE on Windows IE CVE-2020-0674

Alert: There's a new zero-day RCE on Windows Internet Explorer, CVE-2020-0674, with no available patches out there yet. Not only that, as of now (1/20/20) this vulnerability cannot be scanned by VA tools. This vulnerability is highly dangerous and is reported to have been exploited in the wild. Therefore, security teams must act fast.

As Microsoft claimed, in a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email. 

How to Remediate

While there is no patch currently available to remediate this vulnerability, Microsoft have released a security advisory that contains a workaround that could mitigate the threat until a patch becomes available:

Restrict access to JScript.dll 

For 32-bit systems, enter the following command at an administrative command prompt: 

takeown /f %windir%\system32\jscript.dll    

cacls %windir%\system32\jscript.dll /E /P everyone:N

 

For 64-bit systems, enter the following command at an administrative command prompt: 

takeown /f %windir%\syswow64\jscript.dll    

cacls %windir%\syswow64\jscript.dll /E /P everyone:N    

takeown /f %windir%\system32\jscript.dll    

cacls %windir%\system32\jscript.dll /E /P everyone:N

 

Undoing the workaround (if necessary):

For 32-bit systems, enter the following command at an administrative command prompt: 

cacls %windir%\system32\jscript.dll /E /R everyone

 

For 64-bit systems, enter the following command at an administrative command prompt: 

cacls %windir%\system32\jscript.dll /E /R everyone        

cacls %windir%\syswow64\jscript.dll /E /R everyone 

 

Vulcan's Remediation Playbook for CVE-2020-0674

In order to mitigate multiple assets automatically, we've generated a PowerShell script capable of automatically running the mitigating control on the target system. The script will automatically determine if the operating system is 64 or 32 bit and will apply the mitigation accordingly.

Download the script here 

To mitigate, run the following script: 

PS C:\ > ./CVE2020-mitigation.ps1

 

To undo:

PS C:\ > ./CVE2020-mitigation.ps1 -undo $True 

 

Deployment Recommendation: 

You can deploy the PowerShell mitigation easily with tools like SCCM, Intune and more or even by running it via logon script. 

Impact of Workaround 

Implementing these steps might result in reduced functionality for components or features that rely on jscript.dll. To be fully protected, Microsoft recommends the update be installed as soon as possible. Please revert the mitigation steps before installing the update to return to a full state. 

By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability. This vulnerability only affects certain websites that utilize jscript as the scripting engine.  

Alternative Unofficial Workaround: 

Block the use of Internet Explorer and Edge via GPO or Deny connections with Windows defender firewall. 

To learn more about Vulcan Cyber, speak with one of our experts

Don’t miss out on the latest

Get notified on Industry updates.
we promise not to spam

Related Posts

Popular Articles

03.3.2020 | vulnerabilities , Ghostcat

| Posted by Yonatan Amitay
The Apache Tomcat servers that have been released over the last thirteen years are vulnerable to a bug known as “Ghostcat” (CVE-2020-1938) that ...
Read more

07.15.2020 | vulnerabilities , SIGRed

| Posted by Yonatan Amitay
What is the SIGRed Vulnerability (CVE-2020-1350)? SIGRed (CVE-2020-1350) is a critical, wormable RCE (remote code execution) vulnerability in the ...
Read more

07.30.2020 | vulnerabilities

| Posted by Yonatan Amitay
TL;DR The BootHole vulnerability is not critical (yet), but it could potentially effect billions of devices worldwide. Exploiting it requires high ...
Read more