Microsoft has reported a zero-day vulnerability in Internet Explorer, which is already being exploited for "limited targeted attacks." The problem received the identifier CVE-2020-0674 and is associated with a vulnerability in the Firefox browser, which became known in early January. Apparently, the mentioned "limited attacks" are part of a larger hacker campaign, which also included attacks on users of Firefox.
Qihoo 360 experts who tweeted that Firefox 0-day was used in conjunction with yet another zero-day problem in Internet Explorer were the first to “exploit” this vulnerability. This entry was later deleted, and Microsoft representatives then refrained from commenting.
Now Microsoft experts describe the zero-day vulnerability as a remote code execution (RCE) problem, which is associated with the IE script engine and violation of the integrity of memory information. Exploiting the problem allows an attacker to execute arbitrary code in the context of the current user. To do this, just lure the IE user to a malicious site.
According to Microsoft, the vulnerability affects Internet Explorer 9, 10 and 11 when running on Windows 7, 8.1, 10, Server 2008, Server 2012, Server 2016 and Server 2019. However, there is no patch for a fresh problem yet, and instead of fixing it, Microsoft published safety recommendations (ADV200001) to reduce risks. It is reported that work on the patch is already underway, but the exact date of its release has not yet been announced.