HighCISA KEVExploited in the wildPublic exploit

Internet Explorer JScript use-after-free remote code execution

IdentifiersCVE-2020-1380CWE-416

CVE-2020-1380 is a remote code execution vulnerability in Internet Explorer 11’s scripting engine, specifically in jscript9.dll. The flaw stems from improper handling of objects in memory and has been described by multiple sources as a JScript use-after-free condition associated with JIT-optimized code paths. Exploitation can corrupt memory and allow an attacker to achieve arbitrary code execution in the context of the current user. Public reporting on active exploitation indicates the bug can be triggered through specially crafted web content rendered by Internet Explorer, including malicious or compromised websites, or content embedded via an ActiveX control marked safe for initialization in an application or Microsoft Office document hosting the IE rendering engine. Kaspersky’s reporting further states the exploit abused a JIT-related use-after-free in jscript9.dll to obtain arbitrary read/write, bypass CFG, and execute shellcode via a ROP chain.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary code execution in the security context of the current user. If the user has administrative privileges, the attacker can take full control of the affected system, including installing programs, viewing, modifying, or deleting data, and creating new accounts with full user rights. In observed attacks, CVE-2020-1380 was used as the initial code-execution stage in a broader exploit chain and was reported as actively exploited in the wild.

Mitigation

If you can’t patch tonight, do this now.

Until patching is completed, reduce or eliminate exposure to Internet Explorer and applications that host the IE rendering engine. Limit use of ActiveX, especially in documents or applications that embed IE components. Enforce least privilege so users do not operate with administrative rights. Reduce exposure to malicious web content by restricting access to untrusted sites and ad-driven/user-generated content, and consider disabling or tightly controlling legacy browser components where operationally feasible.

Remediation

Patch, then assume compromise.

Apply Microsoft’s security update for CVE-2020-1380, released on 2020-08-11, via Windows Update or the relevant MSRC security advisory. The update addresses the issue by modifying how the scripting engine handles objects in memory. Ensure Internet Explorer 11 and affected Windows systems are fully patched with the August 2020 security updates or later cumulative updates that include the fix.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationInternet Explorerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

the hacker newsNews

Oct 16, 2024

North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware

A memory corruption vulnerability in the Windows Scripting Engine that allows remote code execution, previously exploited by ScarCruft.

eset welivesecurity blogNews

Nov 30, 2022

Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin

An Internet Explorer client-execution vulnerability used by ScarCruft during the watering-hole attack chain that ultimately led to BLUELIGHT and then Dolphin deployment.

securelistNews

Aug 12, 2020

Internet Explorer and Windows zero-day exploits used in Operation PowerFall | Securelist

Internet Explorer (JScript9.dll) use-after-free vulnerability enabling remote code execution via JIT-compiled code paths that omit necessary lifetime checks for ArrayBuffer/TypedArray backing stores.

trustwave spiderlabs blogNews

Aug 12, 2020

Patch Tuesday, August 2020

A remote code execution vulnerability in the Windows Scripting Engine that the content states has been publicly exploited.

+5 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence4

Every observed campaign linking this CVE to a named adversary.

Associated malware3

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2020-1380

NVD

nvd.nist.gov/vuln/detail/CVE-2020-1380

MITRE CWE · CWE-416

cwe.mitre.org

Patch

portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1380

Third Party Advisory

packetstormsecurity.com/files/163056/Internet-Explorer-jscript9.dll-Memory-Corruption.html

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1380