Users may have moved past Internet Explorer onto newer alternatives, but hackers still think they can get something out of the old browser. US-CERT and Microsoft have put out security advisories about an Internet Explorer bug that’s being used by hackers in the wild.
It’s a memory corruption bug that exists in the way IE’s scripting engine handles memory and could allow a remote attacker to run arbitrary code on the target machine.
The job of the scripting engine is to handle the execution of VBScript and Jscript. Once on the machine, the hacker gets the same privileges as the current user. So, if the user is running an Administrator account, the hacker gets the power to install/uninstall apps.
CERT advisory warns that any application that can embed IE or the affected scripting engine can be used as an attack vector. Thus, a malicious actor can compromise devices by making the user open a specially crafted website that supports the embedded script engine content.
This comes after the security firm Qihoo 360 tweeted about an IE but deleted it later on. Apparently, Microsft’s advisory credits a researcher from the firm under the acknowledgments.
Microsoft has identified the memory corruption vulnerability as CVE-2020-0674 and said that it’s “aware of limited targeted attacks” being performed.
Right now, there is no security patch to fix the flaw, but if necessary, Microsoft says a possible workaround is to restrict access to the jscript.dll library (a defunct Jscript version released in 2009). However, the said bug doesn’t affect ..
Support the originator by clicking the read the rest link below.
