A zero-day threat displayed in code through a magnifying glass lens

A zero-day vulnerability that is being actively exploited has been confirmed by Microsoft

Getty

It's been a lousy week for Windows users: first, the NSA curveball crypto vulnerability and now confirmation of a zero-day vulnerability that's being actively exploited with no fix yet.

Hot on the heels of National Security Agency (NSA) and Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) warnings for Windows 10 users to update urgently as news of the curveball crypto vulnerability broke, here we are again. The CISA has published a new warning for Windows users as Microsoft confirms a critical zero-day vulnerability is being actively exploited, and there's no fix available at the time of writing.

What is the critical zero-day vulnerability confirmed by Microsoft?

The CISA National Cyber Awareness System (NCAS) warning was made on January 17 and referred to a Microsoft security advisory that was published earlier the same day. Importantly, that advisory confirmed that "Microsoft is aware of limited targeted attacks." So, what is the critical zero-day vulnerability that's already being exploited in the wild?

Microsoft said that a remote code execution (RCE) vulnerability had been found in the scripting engine of the Internet Explorer (IE) web browser. It's a critical vulnerability, assigned as CVE-2020-0674, that impacts IE across all versions of Windows and can corrupt memory so that an attacker can execute arbitrary code. "An attacker who successfully exploited the vulnerability could gain the same user rights as the current user," Microsoft warned, "if the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system." Which is about as dangerous as it gets, as that attacker could create new accounts, install malware, view and alter data and so on.

To exploit this zero-day vulnerability, a threat actor could use a maliciously-created website implementing JScript as the scripting engine, that would kick-off an exploit if the visitor was using the Internet Explorer browser to view.

Who uses Internet Explorer these days?

So this isn't a big deal, right? After all, who uses Internet Explorer these days? Actually, according to the latest web browser market share statistics from Net Marketshare the answer is more people than you might imagine. While Google Chrome dominates the market with a 67.28% share, Internet Explorer on 7.42% is in third place just behind Firefox on 9%. This, despite Microsoft effectively hammering nails into the IE coffin when it chose Edge as the default browser for Windows 10.

The problem is that we also know that older versions of Windows remain popular with consumers and businesses alike. Windows 7, for example, has the second-largest market share of all desktop operating systems on 32.74% which is only beaten by 47.65% for Windows 10. That's right, the now unsupported Windows 7 that some experts have called a "crazy high security risk."

If there's no patch for the zero-day vulnerability, what can I do?

When it comes to mitigation advice for a vulnerability with no fix, there's one thing that stands out like the proverbial sore thumb: use another browser. Although it is understood that the zero-day vulnerability in IE is related to the critical zero-day issue in Firefox I wrote about on January 9, the latter has been fixed already. Edge, Chrome, and Safari are also not impacted.

For those business users who cannot move away from an old Internet Explorer installation for operational reasons, there are some mitigating factors. Microsoft advises that by default IE on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 runs "in a restricted mode that is known as Enhanced Security Configuration," that reduces the chances of the malicious content the vulnerability relies upon being downloaded.

Otherwise, Microsoft advises that it's possible to restrict access to JScript.dll, but this could lead to reduced functionality.

As for an out of bounds patch, that currently looks unlikely as Microsoft said that "our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers. Microsoft is aware of limited targeted attacks."

Mitigation advice for Windows 7 and Server 2008 R2 users

Mitja Kolsek, the CEO of the digital security research lab, Acros, and founder of micro-patching service 0Patch, has contacted me to confirm the availability of a temporary fix for the CVE-2020-0674 zero-day. "Windows 7 and Server 2008 R2 may never get official patches for CVE-2020-0674," Kolsek said, "so as part of our ‘security adoption’ program, we're providing these micro-patches instead." The micro-patches for Windows 7, Windows Server 2008 R2, Windows 10 and Windows Server 2019 can be found here for users of the platform.

Updated January 22

This article was updated with news of a temporary patch to fix CVE-2020-0674