Update: Reported as exploited in the wild as part of Google’s 2020 0day vulnerability spreadsheet they made available at https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786. Original tweet announcing this spreadsheet with the 2020 findings can be found at https://twitter.com/maddiestone/status/1329837665378725888

TLDR: Originally this was written as a low priority issue, however after further discussions internally we are upping the risk due to the fact that IE 11 is installed on every Windows computer and cannot be removed (as it is an OS component), and the fact that there still remains the risk of attack via social engineering, which could get around many of the originally proposed mitigations.

Originally I wrote this as a low priority issue, however after looking into it more I’m upping the risk on this as IE 11 is installed by default on every Windows system and it cannot be removed, which means that with some social engineering, its possible to compromise any Windows user’s computer. Above all else this factor should be kept in mind as it means that even if an organization doesn’t have IE set as its default, all it takes is a user who is convinced that to download some info they require they need to use IE instead of Firefox, and a malicious website, and attackers will start to have a foothold within the network.

Now what are some of the limiting factors here? Well you can’t uninstall IE, as it is integrated into every Windows operating system and is considered an OS component. This explains the point above as to why this vulnerability really does affect pretty much every single Windows user. However if organizations implement policies or protections that block IE from being run, then users will not be able to open IE and therefore trigger the vulnerability.

The other point to note is that according to https://gs.statcounter.com/browser-market-share, only 1.28% of people use IE these days, compared to 65.89% of people that use Chrome. The closest competitor there is Safari at a little over 16%. This means that this vulnerability is likely to be more of a risk to enterprises where IE use is more likely due to the prevalence of legacy systems and software, and is unlikely to affect the average home user.

However, keep in mind that particularly in the government space, there are many organizations that still use IE by default or which require users to interact with their legacy applications using IE (due to compatibility issues or similar). These organizations need to patch this issue as soon as possible as all it takes to exploit this issue is one user browsing to a site with a malicious advertisement or one user clicking a link in a malicious email for that user to be compromised.

For those that are not using IE by default this issue will be slightly less of a risk due to the need for attackers to conduct social engineering attacks against end users to convince them to load a malicious site in IE, however remember that all it takes is one user clicking on a link for attackers to start gaining a deeper foothold into your network. Even if the social engineering attack only nets a 10% success rate, if your targeting an organization of 1000 users, that’s 100 users that are now compromised, all of which could provide an attacker with unique possibilities to escalate their privileges within your network.