The company’s security advisory (ADV200001) currently only includes workarounds and mitigations that can be applied in order to safeguard vulnerable systems from attacks.
At the time of writing, there is no patch for this issue. Microsoft said it was working on a fix, to be released at a later date.
While Microsoft said it was aware that the IE zero-day was being exploited in the wild, the company described these as “limited targeted attacks,” suggesting the zero-day was not broadly exploited, but rather that it was part of attacks aimed at a small number of users.
These limited IE zero-day attacks are believed to be part of a larger hacking campaign, which also involves attacks against Firefox users.
Connected to last week’s Firefox zero-day
Last week, Mozilla patched a similar zero-day that was being exploited to attack Firefox users. Mozilla credited Qihoo 360 for discovering and reporting the Firefox zero-day.
In a now-deleted tweet, the Chinese cyber-security firm said the attackers were also exploiting an Internet Explorer zero-day. This appears to be the zero-day that Qihoo 360 researchers mentioned at the time.
No information has been shared about the attacker or the nature of the attacks. Qihoo 360 did not return a request for comment seeking information about the attacks.
RCE in IE
Below is Microsoft’s technical description of this zero-day:
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.
All supported Windows desktop and Server OS versions are impacted, Microsoft said.
This IE RCE zero-day does not have a CVE identifier assigned at the moment.
Microsoft patched two similar IE zero-days in September and November 2019. Although IE is not the default browser in the latest Windows OS versions anymore, the browser is still installed with the OS. Users on older Windows releases are the ones primarily at risk.