Micropatch simulates workaround for recent zero-day IE flaw, removes negative side effects

ACROS Security has released a micropatch that implements the workaround for a recently revealed actively exploited zero-day RCE flaw affecting Internet Explorer (CVE-2020-0674).

Remote code execution vulnerability affecting IE

Last Friday, Microsoft released an out-of-band security advisory notifying Internet Explorer users of a remote code execution vulnerability affecting IE 11, 10 and 9 on various versions od Windows and Windows Server, which they know is being exploited in “limited targeted attacks”.

Flagged by researchers from Qihoo 360 and Google’s Threat Analysis Group, the flaw has been filed under CVE-2020-0674, but no fix was released.

“Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers,” the company explained, and offered information on mitigations and a temporary workaround.

Mitigation steps

Microsoft advised admins to implement the offered mitigation steps only if there is indication that the systems they are administrating are under elevated risk.

“If you implement the workaround, you will need to revert the mitigation steps before installing any future updates to continue to be protected,” the company pointed out.

Also, the workaround changes the ownership of the vulnerable JScript.dll, which has to be reverted again when the workaround is undone (before patching).

“This workaround has an expected negative side effect that if you’re using a web application that employs legacy JScript (and can as such only be used with Internet Explorer), this application will no longer work in your browser,” explained Mitja Kolsek, CEO of Acros Security and co-founder at 0patch, a solution that aims to provide fixes for zero-days, unpatched vulnerabilities, end-of-life and unsupported products, legacy operating systems, vulnerable third-party components and customized software.

The micropatch

Since the February Patch Tuesday is quite a while away and since Windows 7 and Windows Server 2008 R2 users without Extended Security Updates might not get the patch at all, ACROS Security decided to provide a micropatch that simulates the offered workaround (restricts access to the vulnerable JScript.dll) without its negative side effects (reduced functionality for components or features that rely on that particular .dll).

The company has ported the micropatch to Windows 7, Windows 10, Windows Server 2008 R2 and Windows Server 2019 (both 32-bit and 64-bit).

Those who already use 0patch can implement the micropatch immediately and remove it easily when Microsoft finally provides a patch (although, Microsoft’s patch will have precedence over the micropatch, so even removing it is not actually required).

Here is a video of the micropatch: