Threat Signal Report
CVE-2020-0674 Scripting Engine Memory Corruption Vulnerability
Today's Microsoft Patch Tuesday release for February 11, 2020 contains (99) reported disclosures affecting almost as many product versions (due to the existence of multiple versions of the same product.) This month's release has one critical bug that has seen exploitation in the wild, CVE-2020-0674 which is a scripting engine memory corruption vulnerability in Internet Explorer. Although Internet Explorer has been deprecated back in 2016 potentially minimizing risk for users running older browsers (Internet Explorer 9/10) on older platforms by forcing them to upgrade; support for Internet Explorer 11 still exists for the time being even though Microsoft Edge was introduced in 2015.
What are the specifics of the vulnerability?
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
What versions of software are affected?
Windows RT 8.1
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2019
Is this issue Internet Explorer specific?
Have there been reports of in the wild exploitation?
Yes, Microsoft has observed in the wild attacks exploiting CVE-2020-0674. Attribution is unknown at this time.
Any suggestions or mitigations?
Fortiguard Labs suggests that customers running Internet Explorer apply this month's February 2020 updates when feasible. If not possible, it is recommended that those affected discontinue usage of affected versions for the time being and use an alternative browser until the patches can be applied.
What is the status of AV and IPS coverage?
Fortinet customers running the latest definitions set are currently protected against CVE-2020-0674 by our IPS signature:
AV coverage is not feasible for this event.
Traffic Light Protocol
|Color||When Should it Be used?||How may it be shared?|
TLP: REDNot for disclosure, restricted to participants only.
|Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused.||Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.|
TLP: AMBERLimited disclosure, restricted to participants’ organizations.
|Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.||Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.|
TLP: GREENLimited disclosure, restricted to the community.
|Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.||Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.|
TLP: WHITEDisclosure is not limited.
|Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.||Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.|