Zero-Day Memory Corruption (Patch released) CVE-2019-1367 for IE9/10/11 (+iMB?).

For trouble installing the software or activating your license, please open a support case. Freeware and Personal Edition users can also post questions here.
Forum rules
Before asking a question or reporting an issue:
1. Please review the list of FAQ's.
2. Use the search box (at the top of each forum page) to see if a similar problem or question has already been addressed.
3. Try searching the iMacros Wiki - it contains the complete iMacros reference as well as plenty of samples and tutorials.
4. We can respond much faster to your posts if you include the following information: CLICK HERE FOR IMPORTANT INFORMATION TO INCLUDE IN YOUR POST
Post Reply
chivracq
Posts: 9749
Joined: Sat Apr 13, 2013 1:07 pm
Location: Amsterdam (NL)

Zero-Day Memory Corruption (Patch released) CVE-2019-1367 for IE9/10/11 (+iMB?).

Post by chivracq » Mon Sep 23, 2019 8:03 pm

For Users using iMacros for IE v11.x or v12.x with IE9/IE10/IE11, be aware that Microsoft released today an "urgent" Security Patch outside the "regular" monthly Patch Tuesday to address a Zero-Day Security Vulnerability (already exploited):
- CVE-2019-1367 | Scripting Engine Memory Corruption Vulnerability
(Links to MS Site, with Links to download all specific KB's for IE9/10/11 on WS2008/2012/2019_x32/64 + Win7/8.1/10_x32/64, Patch doesn't get "automatically" offered in Windows Update (yet), dynamic Content on the Page not displayed on PM v26.3.3, but OK on FF v55.0.3.)
Published: 09/23/2019
MITRE CVE-2019-1367

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

[...]
+ Announcement on ZDNet:
- Microsoft releases out-of-band security update to fix IE zero-day & Defender bug

>>>

And for @TechSup to confirm/infirm (and to edit my Thread Title if I'm hopefully "wrong"), but I would think Users using any Version of iMB (=> v9.x/v10.x/v11.x/v12.x) will probably also be affected, as iMB is forked/built on the IE Engine afaik, and probably also uses the same "Scripting Engine"... :oops:
- (F)CI(M) = (Full) Config Info (Missing): iMacros + Browser + OS (+ all 3 Versions + 'Free'/'PE').
- I don't even read the Qt if that (required) Info is not mentioned...!
- Script & URL help a lot for more "educated" Help...
chivracq
Posts: 9749
Joined: Sat Apr 13, 2013 1:07 pm
Location: Amsterdam (NL)

Re: Zero-Day Memory Corruption (Patch released) CVE-2019-1367 for IE9/10/11 (+iMB?).

Post by chivracq » Mon Sep 23, 2019 10:52 pm

Hum, in the meantime, there is more Info, and a Workaround available...:
https://portal.msrc.microsoft.com/en-us ... 7#ID0EUGAC
Workarounds

Restrict access to JScript.dll
For 32-bit systems, enter the following command at an administrative command prompt:

Code: Select all

takeown /f %windir%\system32\jscript.dll
cacls %windir%\system32\jscript.dll /E /P everyone:N
For 64-bit systems, enter the following command at an administrative command prompt:

Code: Select all

takeown /f %windir%\syswow64\jscript.dll
cacls %windir%\syswow64\jscript.dll /E /P everyone:N
takeown /f %windir%\system32\jscript.dll
cacls %windir%\system32\jscript.dll /E /P everyone:N
Impact of Workaround
Implementing these steps might result in reduced functionality for components or features that rely on jscript.dll. To be fully protected, Microsoft recommends the update be installed as soon as possible. Please revert the mitigation steps before installing the update to return to a full state.

By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability. This vulnerability only affects certain websites that utilize jscript as the scripting engine.

How to undo the workaround
For 32-bit systems, enter the following command at an administrative command prompt:

Code: Select all

cacls %windir%\system32\jscript.dll /E /R everyone
For 64-bit systems, enter the following command at an administrative command prompt:

Code: Select all

cacls %windir%\system32\jscript.dll /E /R everyone   
cacls %windir%\syswow64\jscript.dll /E /R everyone

And the following Sentence is actually maybe "double" or "triple" "Good News" for iMB Users, ah-ah...!, or maybe not...!?: :wink:
"By default, IE11, IE10, and IE9 uses Jscript9.dll which is not impacted by this vulnerability. This vulnerability only affects certain websites that utilize jscript as the scripting engine."

- I don't know, I never installed iMB, but it could be that iMB (all Versions) only uses the "Default" 'Jscript9.dll' (which is not impacted), and doesn't even use the "faulty" 'jscript.dll'. :P

- If iMB uses those 2 '.DLL''s directly from IE and thus from the '%windir%\system32\' Folder, => Patching IE on a System will also patch iMB directly...! 8)
And this could be very much the Case...! IE for the last maybe 10 years doesn't often get (Security) Updates, but iMB even less often, and never labelled as "Security" Updates, but "New Release"/"New Version", and I always "wondered" about the Security Level of iMB as a Browser... :twisted: , but hum, the Developer who created iMacros and iMB was/is pretty clever, ah-ah...!, so I wouldn't be surprised if he thought about that Security/Update Process already when he created iMacros, and implemented iMacros/iMB that it relied directly on the Security/Patch Level of the IE Version(s) installed on the System to avoid to have to release a new (Security) Version every time IE needed to be patched... 8)
I don't know, I never "studied" and decompiled iMB, but that would sound like a plausible and clever Implementation of the Software to me... :P

- If iMB uses its own Copy of those 2 '.DLL''s that it copies into some '\iMacros\...' Folder (=> 'C:\Program Files (x86)\Ipswitch\iMacros\'...?, for iMB_x32), it will probably be possible to replace the "faulty" DLL (I guess they probably didn't change the Name, or a quick Check on the Size will probably indicate which one is which one...) from the '\iMacros\' Folder with a "sane" one from a patched System, without waiting for @Dev to release a new Version... :idea:

(@TechSup to confirm/test all those "Assumptions" of mine, of course...! :wink: )
- (F)CI(M) = (Full) Config Info (Missing): iMacros + Browser + OS (+ all 3 Versions + 'Free'/'PE').
- I don't even read the Qt if that (required) Info is not mentioned...!
- Script & URL help a lot for more "educated" Help...
iMacrosTeam
Posts: 5
Joined: Fri Jan 11, 2019 12:15 pm

Re: Zero-Day Memory Corruption (Patch released) CVE-2019-1367 for IE9/10/11 (+iMB?).

Post by iMacrosTeam » Tue Sep 24, 2019 7:43 am

The iMacros browser simply "wraps" the low-level components of IE as described in this FAQ.

So, separate security updates have never been required for the iMacros browser because updating IE effectively achieves the same.
Post Reply