www.belgium.be Logo of the federal government

New zero day found in Microsoft Internet Explorer

Reference: 
Advisory #2020-003
Version: 
1.0
Affected software: 
Microsoft Internet Explorer 9 through 11
Type: 
Remote Code Execution
CVE/CVSS: 

CVE-2019-0674

Sources

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200001 (1)

Risks

Successful attacks using this vulnerability could allow an attacker to execute his own shellcode remotely with Internet Explorer privileges.

Description

An attacker can make use of a zero-day vulnerability in Internet Explorer 9 through 11 to run arbitrary commands with full user rights. If the logged in user is an administrator, this could lead to a full system compromise.

There is currently no patch available for this vulnerability, and the vulnerability is actively being exploited in the wild. There are known mitigations, however.

Recommended Actions

CERT.be recommends to perform the mitigation techniques proposed by Microsoft(1), or to use a different browser until a patch is available.