0patch releases micropatch for Internet Explorer vulnerability -- including for Windows 7
At the end of last week, a serious vulnerability was discovered in Internet Explorer, affecting all versions of Windows. Not only is the bug (CVE-2020-0674) being actively exploited, but for Windows 7 users the vulnerability was exposed right after their operating system reached the end of its life.
Even for users of newer versions of Windows, and despite the severity of the security flaw, Microsoft said it would not be releasing a patch until February. Stepping in to plug the gap comes 0patch with a free micropatch for all versions of Windows affected by the vulnerability.
See also:
- Microsoft exposed 250 million customer service and support records in massive privacy blunder
- Microsoft has a new PowerToy utility on the way -- PowerLauncher
- Windows 7 desktops are turning black
This is not the first time 0patch has stepped up to the plate and addressed a security issue before Microsoft. Although the Windows-maker says it will not release a fix until February's Patch Tuesday, the company did publish details of a workaround to help mitigate against the vulnerability. But, as 0patch notes, the workaround was not without issues.
Because the provided workaround has multiple negative side effects, and because it is likely that Windows 7 and Windows Server 2008 R2 users without Extended Security Updates will not get the patch at all (their support ended this month), we decided to provide a micropatch that simulates the workaround without its negative side effects.
The vulnerability is in jscript.dll, which is the scripting engine for legacy JScript code; note that all "non-legacy" JScript code (whatever that might be), and all JavaScript code gets executed by the newer scripting engine implemented in jscript9.dll.
Microsoft's workaround comprises setting permissions on jscript.dll such that nobody will be able to read it. This workaround has an expected negative side effect that if you're using a web application that employs legacy JScript (and can as such only be used with Internet Explorer), this application will no longer work in your browser.
0patch points out that there are other unwanted side effects of using Microsoft's workaround:
- Windows Media Player is reported to break on playing MP4 files.
- The sfc (Resource Checker), a tool that scans the integrity of all protected system files and replaces incorrect versions with correct Microsoft versions, chokes on jscript.dll with altered permissions.
- Printing to "Microsoft Print to PDF" is reported to break.
- Proxy automatic configuration scripts (PAC scripts) may not work.
For anyone using the 0patch platform, the patch is available right now. It is compatible with the 32- and 64-bit versions of Windows 7, Windows 10 v1709, Windows 10 v1803, Windows 10 v1809, Windows Server 2008 R2 and Windows Server 2019.
The company has produced a video showing the patch in action:
It's also worth reading through the accompanying blog post for an explanation of how the patch works.
Image credit: Rose Carson / Shutterstock