Microsoft has warned users in a security advisory of a zero-day vulnerability that is being actively exploited by threat actors.
Microsoft explained that the vulnerability dubbed CVE-2020-0674, could corrupt memory in such a way that a threat actor could execute arbitrary code.
Once a threat actor successfully exploits the vulnerability they could obtain the same user rights as the current users, therefore if the current user is logged on with administrative user rights, a threat actor could take control of the compromised system.
Subsequently, a threat actor could install programs, view, modify, delete data or even create new accounts with full user rights.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email,” warns Microsoft in the advisory.
All supported versions of Windows are vulnerable to exploitation.
Currently there is no fix to address this vulnerability, however Microsoft is aware of this vulnerability and has assigned it CVE-2020-0674.
The patch will only be released in February as Microsoft releases security updates on the second Tuesday of each month, stating that “predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers.”
While users wait for a patch, users can be protected by default settings called Enhanced Security Configuration. Microsoft has also alerted users of a workaround which involves restricting access to JScript.dll.
“Microsoft recommends these mitigation steps only if there is indication that you are under elevated risk. If you implement the workaround, you will need to revert the mitigation steps before installing any future updates to continue to be protected.”
The post #Privacy: Internet Explorer flaw won’t be patched until February appeared first on PrivSec Report.