On January 17th, CISA National Cyber Awareness System (NCAS) posted a warning regarding a Microsoft critical zero-day vulnerability, confirmed by Microsoft in a Security Advisory earlier the same day. Within the advisory, ‘ADV200001 | Microsoft Guidance on Scripting Engine Memory Corruption Vulnerability’, Microsoft confirmed they are aware of a flaw affecting Internet Explorer, which is currently being exploited by hackers. Microsoft assigned the bug with a common vulnerability identifier, CVE-2020-0674, but specific details of the bug have yet to be released. We do know all supported versions of Windows are affected by the flaw, including Windows 7, which is rapidly moving to legacy status with no further availability of security updates.
Internet Explorer Corrupts Memory
The vulnerability exists in how Internet Explorer handles memory. Essentially, IE can corrupt memory so an attacker is able to remotely execute arbitrary (malicious) code on an affected computer using ANY version of Windows.
Likely threat scenario:
Attackers will likely use Phishing and malicious advertisement links/redirects to infect user’s computers and servers. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Worst case scenario would be infecting a user who is logged on with administrative user rights. Microsoft warned, “if the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.” This type of attack is about as dangerous as it gets. An attacker can create new accounts, install malware, view and alter data, etc. with full user rights.
Internet Explorer Isn’t Even Considered a Browser by Microsoft
According to Microsoft’s worldwide lead for cybersecurity, Chris Jackson, in a recent blog post, ‘The perils of using Internet Explorer as your default browser’, Jackson recommends enterprise customers AVOID IE use for ALL web traffic, even if it is the easiest option. “You see, Internet Explorer is a compatibility solution,” commented Jackson in the blog. “We’re not supporting new web standards for it and, while many sites work fine, developers by and large just aren’t testing for Internet Explorer these days. They’re testing on modern browsers.”
So when is it appropriate to use IE?
Kyle Weller, Omega Systems’ Information Security Engineer and Cybersecurity Expert, recommends users strongly limit their usage of Internet Explorer for browsing the internet and searching, if possible. He comments “I recognize some companies have 3rd party vendors that only support Internet Explorer. Using IE or Business applications ONLY should be safe, however I recommend companies pressure their vendors to support newer browsing technologies like Chrome, Firefox or Edge.”
How to move forward informed and prepared
As with all cybersecurity threats, prevention is the best option. Omega Systems’ Smart Support option for 3rd party patching and updates will automatically keep browsers and add-ons, like Java, up to date to prevent web-based attacks. Also, the latest Smart Support AV+ option provides further protection, blocking known and unknown phishing and malicious websites. That said, it’s important to note there are currently NO available patches for this vulnerability. Although some reports indicate an anticipated patch by early February, others indicate Microsoft has NO plans to provide a fix at all. Omega Systems’ support team will continue to monitor the situation and implement the appropriate patch, should one become available. If it is mandatory for your business to leverage IE, and you would like expedited patching when and if this becomes available, please contact Omega Systems’ Service Desk at 484.772.1110.
Omega Systems’ cybersecurity experts and support team are ready and able to assist you with this and other IT security concerns. For immediate assistance, please reach out to the Service Desk.