A targeted attack is targeting a previously unknown vulnerability in Internet Explorer to corrupt memory and exploit victims' Windows systems, Microsoft warned in an advisory published on January 17.
The flaw, described as a scripting engine memory corruption vulnerability and designated CVE-2020-0674, allows an attacker to take control of a Windows system by forcing it to use an older version of Microsoft's JavaScript that is only present for backward compatibility. By default, Internet Explorer does not use the vulnerable dynamic library, Microsoft stated.
"The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user," Microsoft stated in Advisory 200001. "An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system."
While the attack is serious, its impact is limited because Internet Explorer is only used by a limited number of users who want backward compatibility with older Microsoft technologies. Currently, only 2.3% of visitors use Internet Explorer 11, one of the vulnerable versions, according to W3counter.
The vulnerable library, jscript.dll is typically not used, so an attacker needs to control the website or have created a web page that is opened in a vulnerable browser.
"By convincing a user to view a specially crafted HTML document — [that is,] a web pa ..
Support the originator by clicking the read the rest link below.
