Patch out for exploited Internet Explorer zero-day

Windows users are advised to apply two out of band updates released by Microsoft today, with one of the flaws being exploited in the wild by unnamed attackers.

The first patch addresses a critical memory corruption zero-day vulnerability in the Windows Javascript scripting engine.

Since the scripting engine doesn't handle objects in memory in Internet Explorer properly, an attacker could exploit the vulnerability to run arbitrary code with the rights of the logged in user, Microsoft said in its CVE-2019-1367 security advisory.

The vulnerability affects websites that use jscript.dll as the scripting engine. 

Microsoft said that Internet Explorer versions 9, 10 and 11 use JScript9.dll by default which isn't affected by the vulnerability.

Although details of the vulnerability have not been publicly disclosed, Microsoft warned that the flaw is being exploited on both the latest and older software releases.

Microsoft did not provide further details on the attacks, or how many users it believes are affected by the bug.

Command line workarounds are available to restrict access to the JScript dynamic link library, but Microsoft warned that they could reduce functionality for components or features that rely on the file.

Issuing the following commands within an Administrator prompt on 32-bit Windows:

takeown /f %windir%\system32\jscript.dll

cacls %windir%\system32\jscript.dll /E /P everyone:N

and on 64-bit Windows:

takeown /f %windir%\syswow64\jscript.dll

cacls %windir%\syswow64\jscript.dll /E /P everyone:N

takeown /f %windir%\system32\jscript.dll

cacls %windir%\system32\jscript.dll /E /P everyone:N

If the workaround is in place, it must be undone before today's update for the vulnerability is applied, Microsoft said.

With Administrator provileges, the below command removes the workaround on 32-bit systems:

cacls %windir%\system32\jscript.dll /E /R everyone

On 64-bit systems:

cacls %windir%\system32\jscript.dll /E /R everyone

cacls %windir%\syswow64\jscript.dll /E /R everyone

Microsoft's Windows Defender will be automatically updated to handle a denial of service vulnerability that could be exploited to stop users from running legitimate system binaries.

Unlike the scripting engine flaw, the Defender vulnerability has not been detected to be exploited in the wild, Microsoft said.