CVE-2020-0674 : Internet Explorer Remote Code Execution Vulnerability Exploited in the Wild

By Rody Quinlan, Security Response Manager at Tenable

The Tenable Security Response Team (SRT) launched a Security Advisory for CVE-2020-0674: Internet Explorer Remote Code Execution Vulnerability Exploited in the Wild. On January 17, Microsoft released an out-of-band advisory (ADV200001) for a zero-day remote code execution (RCE) in Internet Explorer that has been exploited in the wild. 

CVE-2020-0674 is an RCE vulnerability that exists in the way the scripting engine handles objects in memory in Internet Explorer. Exploitation of this vulnerability could allow an attacker to corrupt memory and execute arbitrary code with the same level of privileges as the current user. If the current user has administrator-level privileges this would grant the attacker control of the system with the ability to view, edit or delete data, install programs or create accounts with privileges of their choosing.

To exploit this vulnerability an attacker would be required to host a maliciously crafted website designed to take advantage of this Internet Explorer vulnerability and then require a target to visit the website. A target could be convinced to visit the website via social engineering by embedding a link to it in an email, compromising a legitimate website or forum, or alternatively the link could be embedded in a file that supports the execution of scripts when opened, such as Microsoft Office Documents, PDF files, or HTML files.

This vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG) and Ella Yu from Qihoo 360.In 2019 Clément also discovered a pair of zero-day vulnerabilities exploited together in the wild in Google Chrome (CVE-2019-5786) and Microsoft Windows (CVE-2019-0808), as well as a zero-day memory corruption vulnerability in Internet Explorer exploited in the wild (CVE-2019-1367).

Earlier this month, Qihoo 360 was credited with discovering a zero-day vulnerability in Mozilla Firefox exploited in the wild in targeted attacks. At the same time, reports emerged that Qihoo 360 also discovered an Internet Explorer zero-day based on a now deleted tweet. No information was available at that time, but it appears that this was the vulnerability that had been referenced.

At this time, no details had been made public regarding the in-the-wild exploitation of this vulnerability, though Microsoft says they are “aware of limited targeted attacks”. 

A full analysis of the vulnerability can be found in this blog by Tenable SRT.