Skip to main content

Internet Explorer under attack by North Korean hackers: What to do

North Korea hack Internet Explorer
(Image credit: Shutterstock; Tom's Guide)

Hot on the heels of last week's epic round of Microsoft software patches comes a new critical Windows vulnerability: a "zero-day" flaw in Internet Explorer that's currently being exploited by North Korean hackers, and for which there's no fix as of yet.

Your job, dear reader, is to stop using Internet Explorer on all versions of Windows. Microsoft's Edge browser is much better and safer, and so are Google Chrome and Mozilla Firefox.

If you absolutely positively need IE for some web app that won't run on any other browser, then you should make sure to use IE only in a limited-user account that cannot modify software. (Using limited accounts may be the single most effective way to protect your PC.) 

For tech-savvy users, Microsoft has provided couple of mitigation scripts that we'll detail at the end of this article. Everyone else will have to wait for a full fix, which Microsoft may not push out until next month's Patch Tuesday on Feb. 11. Some of the best antivirus software makers may find ways to block the attack before then.

Chasing Mozilla

This new vulnerability seems to be related to a Firefox flaw that Mozilla patched earlier this month, and which was also under attack from presumably the same group of attackers. The researchers at Qihoo 360 who found the Mozilla flaw initially posted a tweet that said IE was also vulnerable, then quickly deleted it. 

In a Chinese-language blog post, the researchers identified the attacking group as DarkHotel, a North Korean hacking group that has been active since at least 2007 and which specializes in tracking the movements of high-profile business travelers. 

In its public advisory, Microsoft stated that the vulnerability was being used in "limited targeted attacks," i.e., not against the general public as a whole.

The IE flaw, catalogued as CVE-2020-0674, officially affects both supported versions of the browser, IE 10 and IE 11, and all versions of Windows 10, Windows 8.1 and the just-retired Windows 7 with Service Pack 1. We'd guess that it likely affects earlier, deprecated versions of IE and Windows too.

Reach out and zap someone

Microsoft quietly disclosed the vulnerability late Friday (Jan. 17) with its advisory, which was in turn updated Sunday (Jan. 19). 

"A remote code execution" -- i.e., internet-based -- "vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer," the advisory read. "The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user." 

If the current user had administrative privileges, then the attacker could "install programs; view, change, or delete data; or create new accounts with full user rights."

"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email," the advisory added.

This vague description nonetheless fits with Firefox's own zero-day flaw from earlier this month, which involved an error in the way that browser's just-in-time code compiler handled JavaScript, the scripting language that makes websites interactive.

Blast from the past

The silver lining is that exploiting the Internet Explorer flaw relies on the presence of an outmoded direct link library called jscript.dll. (A DLL is a bit of operating-system code that is stored independently so that it can be used by multiple programs.)

That older DLL has been replaced with a newer one called jscript9.dll in IE 10 and 11, and jscript9.dll is not affected by this vulnerability. However, newer browsers can load jscript.dll if a website requires it, and the older DLL is still used by default in IE 9 and earlier on Windows 7.

How to mitigate this from the command line

If you're comfortable using the Windows command line, you can mitigate this vulnerability with a couple of commands from an administrative account. 

For 32-bit Windows, use these in succession:

takeown /f %windir%\system32\jscript.dll     

cacls %windir%\system32\jscript.dll /E /P everyone:N

For 64-bit Windows, use those two AND these two:

takeown /f %windir%\syswow64\jscript.dll

cacls %windir%\syswow64\jscript.dll /E /P everyone:N

If you need to undo these mitigations, you can do so in 32-bit Windows with:

cacls %windir%\system32\jscript.dll /E /R everyone  

Users of 64-bit Windows would need to run that as well as this:

cacls %windir%\syswow64\jscript.dll /E /R everyone