Internet Explorer JScript Engine Memory Corruption RCE
CVE-2020-0674 is a remote code execution vulnerability in the Microsoft Internet Explorer scripting engine, specifically the legacy JScript component (jscript.dll). The flaw is described by Microsoft as a scripting engine memory corruption vulnerability caused by the way the engine handles objects in memory. Supporting context indicates it belongs to the same legacy JScript bug class as CVE-2018-8653, CVE-2019-1367, and CVE-2019-1429, and has been described as likely addressing a misfix of CVE-2019-1367. The vulnerability can be triggered when Internet Explorer processes attacker-controlled script content, leading to memory corruption and subsequent arbitrary code execution in the browser process.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository contains a working exploit for CVE-2020-0674, a use-after-free vulnerability in the legacy JScript engine of Internet Explorer. The exploit is implemented as a single HTML file (exploit.html) containing heavily commented JScript code. The exploit targets 64-bit versions of Internet Explorer (8, 9, 10, 11) on Windows 7, and leverages a flaw in the Array.sort comparator function to achieve arbitrary code execution. The provided payload launches the Windows calculator (calc.exe) to demonstrate successful exploitation, but the payload can be modified for arbitrary command execution. The README.md provides detailed background, configuration requirements, and usage notes. The exploit does not fully bypass all EMET mitigations but works under certain configurations. The main attack vector is through a malicious web page viewed in a vulnerable version of Internet Explorer. Notable fingerprintable endpoints include the path to calc.exe and the TabProcGrowth registry key, which is relevant for enabling the x64 process required for exploitation.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An Internet Explorer 0-day and variant/misfix-related vulnerability from the same jscript bug class as CVE-2019-1367, exploited in the wild by DarkHotel APT.
Referenced only in an informational update note as another CVE issued to address the vulnerability; no technical details are provided in the content.
An Internet Explorer legacy JScript engine vulnerability referenced as an in-the-wild zero-day and relevant to exploit kit targeting of unpatched IE systems.
Internet Explorer legacy JScript (jscript.dll) vulnerability previously used in in-the-wild IE exploitation chains (mentioned for contrast with CVE-2020-1380).
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.