IE Zero Day Remediation for CVE-2020-0674

This worklet is to remedy CVE-2020-0674, as detailed in this article:

This is a remote code execution zero-day, affecting users on IE. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Note: if your windows directory is different from c:\windows then you’ll need to make that change in the remediation code.

Evaluation code:

exit 1

Remediation code:

# Define Full Scriptblock to cover 64-bit scenario
$scriptBlock = {
    takeown /f $env:SystemRoot\syswow64\jscript.dll
    cacls $env:SystemRoot\syswow64\jscript.dll /E /P everyone:N
    takeown /f $env:SystemRoot\system32\jscript.dll
    cacls $env:SystemRoot\system32\jscript.dll /E /P everyone:N
}
# Check if OS is 64 or 32 and act accordingly.
$osArch = (Get-WmiObject Win32_OperatingSystem).OsArchitecture
#  64-bit: Full scriptblock passed to 64-bit PowerShell
#  32-bit: 32-bit PowerShell is sufficient, so execute the 2 relevant commands directly
if ($osArch -match '64-bit') {
    & "$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -NonInteractive -Command $scriptBlock
} else { 
    takeown /f $env:SystemRoot\system32\jscript.dll
    cacls $env:SystemRoot\system32\jscript.dll /E /P everyone:N
}

The fix is to temporarily restrict the permissions on jscript.dll until a patch can be released. Once the patch is available you will need to restore the default permissions prior to patching. You can restore the default permissions using the following code in a separate worklet:

cacls c:\windows\system32\jscript.dll /E /R everyone    
cacls c:\windows\syswow64\jscript.dll /E /R everyone
3 Likes

Notably, you can use the Environment Variable “SystemRoot” to cover this scenario, if necessary. Though it should be pretty rare, for example:

takeown /f $env:SystemRoot\syswow64\jscript.dll

and similar for the remainder of the lines.

1 Like

More details about this vulnerability on our blog: