CVE-2020-0674
Published: 11 February 2020
Summary
CVE-2020-0674 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Internet Explorer. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2020-0674 is a remote code execution vulnerability arising from a use-after-free flaw (CWE-416) in the way the scripting engine handles objects in memory within Internet Explorer. The issue enables memory corruption and is distinct from several related scripting engine vulnerabilities disclosed at the same time.
An unauthenticated remote attacker can trigger the flaw over the network by serving malicious content that a user must visit in Internet Explorer. Successful exploitation grants the attacker arbitrary code execution with the privileges of the logged-on user, although the CVSS vector indicates high attack complexity and a requirement for user interaction.
Microsoft published an advisory with security guidance and patch information at the listed MSRC portal URL. Public proof-of-concept code demonstrating the use-after-free condition has been posted to repositories including GitHub and Packet Storm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-2167
Vulnerability details
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2020-0673, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713, CVE-2020-0767.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the Microsoft patch that removes the use-after-free flaw in the IE scripting engine before exploitation can occur.
Restricts or authorizes execution of mobile code (scripts) inside Internet Explorer, limiting the attack surface that triggers the memory-corruption flaw.
Enforces least functionality by disabling unnecessary scripting and active content features in IE that are required to reach the vulnerable code path.