====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN036
_____________________________________________________________________

DATE                : 22/01/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Windows running Internet Explorer versions 9, 10,
                                               11.

=====================================================================
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001
_____________________________________________________________________

ADV200001 | Microsoft Guidance on Scripting Engine Memory Corruption
Vulnerability

Security Advisory

Published: 01/17/2020 | Last Updated : 01/19/2020


A remote code execution vulnerability exists in the way that the
scripting engine handles objects in memory in Internet Explorer. The
vulnerability could corrupt memory in such a way that an attacker could
execute arbitrary code in the context of the current user. An attacker
who successfully exploited the vulnerability could gain the same user
rights as the current user. If the current user is logged on with
administrative user rights, an attacker who successfully exploited the
vulnerability could take control of an affected system. An attacker
could then install programs; view, change, or delete data; or create new
accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially
crafted website that is designed to exploit the vulnerability through
Internet Explorer and then convince a user to view the website, for
example, by sending an email.


Security Updates

To determine the support life cycle for your software version or
edition, see the Microsoft Support Lifecycle.


Product     Platform     Article     Download     Impact      Severity
Supersedence

Internet Explorer 10 	Windows Server 2012 	 Remote Code Execution
Moderate 	
Internet Explorer 11 	Windows 10 Version 1803 for 32-bit Systems 	
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 10 Version 1803 for x64-based Systems 	
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 10 Version 1803 for ARM64-based Systems
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 10 Version 1809 for 32-bit Systems 	
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 10 Version 1809 for x64-based Systems 	
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 10 Version 1809 for ARM64-based Systems
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows Server 2019 	 Remote Code Execution
Moderate 	
Internet Explorer 11 	Windows 10 Version 1909 for 32-bit Systems 	
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 10 Version 1909 for x64-based Systems 	
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 10 Version 1909 for ARM64-based Systems
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 10 Version 1709 for 32-bit Systems 	
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 10 Version 1709 for x64-based Systems 	
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 10 Version 1709 for ARM64-based Systems
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 10 Version 1903 for 32-bit Systems 	
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 10 Version 1903 for x64-based Systems 	
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 10 Version 1903 for ARM64-based Systems
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 10 for 32-bit Systems 	  	  	Remote Code
Execution 	Critical 	
Internet Explorer 11 	Windows 10 for x64-based Systems 	  	 Remote Code
Execution 	Critical 	
Internet Explorer 11 	Windows 10 Version 1607 for 32-bit Systems 	
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 10 Version 1607 for x64-based Systems 	
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows Server 2016 	 Remote Code Execution
Moderate 	
Internet Explorer 11 	Windows 7 for 32-bit Systems Service Pack 1 	
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 7 for x64-based Systems Service Pack 1 	
Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows 8.1 for 32-bit systems 	  	  	Remote Code
Execution 	Critical 	
Internet Explorer 11 	Windows 8.1 for x64-based systems 	  	 Remote Code
Execution 	Critical 	
Internet Explorer 11 	Windows RT 8.1 	  Remote Code Execution 	Critical 	
Internet Explorer 11 	Windows Server 2008 R2 for x64-based Systems
Service Pack 1    Remote Code Execution 	Moderate 	
Internet Explorer 11 	Windows Server 2012     Remote Code Execution
Moderate 	
Internet Explorer 11 	Windows Server 2012 R2 	 Remote Code Execution
Moderate 	
Internet Explorer 9 	Windows Server 2008 for 32-bit Systems Service
Pack 2 	  Remote Code Execution 	Moderate 	
Internet Explorer 9 	Windows Server 2008 for x64-based Systems Service
Pack 2 	  Remote Code Execution    Moderate 	


Mitigations

By default, Internet Explorer on Windows Server 2008, Windows Server
2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server
2016 and Windows Server 2019 runs in a restricted mode that is known as
Enhanced Security Configuration. Enhanced Security Configuration is a
group of preconfigured settings in Internet Explorer that can reduce the
likelihood of a user or administrator downloading and running specially
crafted web content on a server. This is a mitigating factor for
websites that you have not added to the Internet Explorer Trusted sites
zone.


Workarounds


Impact of Workaround

Please note: Implementing these steps might result in reduced
functionality for components or features that rely on jscript.dll. For
example, depending on the environment, this could include client
configurations that leverage proxy automatic configuration scripts (PAC
scripts). These features and others may be impacted.

Microsoft recommends these mitigation steps only if there is indication
that you are under elevated risk. If you implement the workaround, you
will need to revert the mitigation steps before installing any future
updates to continue to be protected.

By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted
by this vulnerability. This vulnerability only affects certain websites
that utilize jscript as the scripting engine.

Restrict access to JScript.dll

For 32-bit systems, enter the following command at an administrative
command prompt:

    takeown /f %windir%\system32\jscript.dll
    cacls %windir%\system32\jscript.dll /E /P everyone:N

For 64-bit systems, enter the following command at an administrative
command prompt:

    takeown /f %windir%\syswow64\jscript.dll
    cacls %windir%\syswow64\jscript.dll /E /P everyone:N
    takeown /f %windir%\system32\jscript.dll
    cacls %windir%\system32\jscript.dll /E /P everyone:N


How to undo the workaround

For 32-bit systems, enter the following command at an administrative
command prompt:

    cacls %windir%\system32\jscript.dll /E /R everyone

For 64-bit systems, enter the following command at an administrative
command prompt:

    cacls %windir%\system32\jscript.dll /E /R everyone
    cacls %windir%\syswow64\jscript.dll /E /R everyone


FAQ

Is there an update to address this vulnerability?

No, Microsoft is aware of this vulnerability and working on a fix. Our
standard policy is to release security updates on Update Tuesday, the
second Tuesday of each month. This predictable schedule allows for
partner quality assurance and IT planning, which helps maintain the
Windows ecosystem as a reliable, secure choice for our customers.

Is Microsoft aware of attacks based on this vulnerability?

Yes, Microsoft is aware of limited targeted attacks.

Is there a CVE assigned to this vulnerability?

Yes, Microsoft has assigned CVE-2020-0674 to this vulnerability


Acknowledgements

Clément Lecigne of Google’s Threat Analysis Group
Ella Yu from Qihoo 360

See acknowledgements for more information.

Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability
and fitness for a particular purpose. In no event shall Microsoft
Corporation or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not
apply.


Revisions

Version 	Date 	Description
1.0 	01/17/2020 	Information published.
1.1 	01/17/2020 	Added acknowledgements and an additional FAQ.
                        This is an informational change only.
1.2 	01/19/2020 	Updated Workaround information. This is an
                        informational change only.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================