A critical vulnerability in Internet Explorer, with the identifier CVE-2020-0674 has been published by Microsoft. It allows attackers to remotely execute code using the JScript.dll library. A security patch is currently being created.

On the first patch Tuesday of 2020, Microsoft released 49 updates; shortly afterwards, the vendor reported a new zero-day security vulnerability in Internet Explorer. Code is executed remotely, objects are processed in memory using the scripting language (“scripting engine”) and triggered by the JScript.dll library.

At this point, there is a risk of exploitation: the vulnerability could allow an attacker to damage the memory. As a result, a remote attacker could be able to execute arbitrary code in the context of the current user. Depending on the administrative user rights with which this person is currently logged in, in the worst case scenario, the attacker could take control of the system in question. The possible consequences include unwanted programs being installed, and sensitive but also operationally relevant data being viewed, modified or deleted.  A hacker who successfully exploited this vulnerability could gain extensive user rights and could even create new accounts.

Affected versions

The web browser affected is Internet Explorer 9, 10 and 11 which runs on all versions of Windows 10, 8.1 and the recently discontinued Windows 7. Microsoft ADV200001’s official statement includes a workaround to protect users’ vulnerable systems where they depend on Internet Explorer. However, users are strongly recommended not to use the vulnerable browsers until this vulnerability has been fixed.