This worklet is to remedy CVE-2020-0674, as detailed in this article:
This is a remote code execution zero-day, affecting users on IE. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
Note: if your windows directory is different from c:\windows then you’ll need to make that change in the remediation code.
Evaluation code:
exit 1
Remediation code:
# Define Full Scriptblock to cover 64-bit scenario
$scriptBlock = {
takeown /f $env:SystemRoot\syswow64\jscript.dll
cacls $env:SystemRoot\syswow64\jscript.dll /E /P everyone:N
takeown /f $env:SystemRoot\system32\jscript.dll
cacls $env:SystemRoot\system32\jscript.dll /E /P everyone:N
}
# Check if OS is 64 or 32 and act accordingly.
$osArch = (Get-WmiObject Win32_OperatingSystem).OsArchitecture
# 64-bit: Full scriptblock passed to 64-bit PowerShell
# 32-bit: 32-bit PowerShell is sufficient, so execute the 2 relevant commands directly
if ($osArch -match '64-bit') {
& "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptBlock
} else {
takeown /f $env:SystemRoot\system32\jscript.dll
cacls $env:SystemRoot\system32\jscript.dll /E /P everyone:N
}
The fix is to temporarily restrict the permissions on jscript.dll until a patch can be released. Once the patch is available you will need to restore the default permissions prior to patching. You can restore the default permissions using the following code in a separate worklet:
cacls c:\windows\system32\jscript.dll /E /R everyone
cacls c:\windows\syswow64\jscript.dll /E /R everyone
