Microsoft patches CVE-2020-0674 Internet Explorer zero-day

Executive briefing: Microsoft released a security update for CVE-2020-0674 during February Patch Tuesday, addressing a use-after-free flaw in the Internet Explorer scripting engine that attackers had been exploiting. Systems with IE installed require the patch even if Edge or another browser is the primary client.

Why it matters

• The vulnerability allowed remote code execution via malicious web content and had documented in-the-wild exploitation.
• Many enterprise applications still leverage IE components or the legacy scripting engine, so unpatched machines remain exposed.
• Temporary mitigations issued in January (restricting JScript.dll) carried compatibility risk; the February patch is the durable fix.

Operator actions

• Prioritize deployment of the CVE-2020-0674 fix across supported Windows desktop and server builds, including those with IE installed for legacy apps.
• Validate that any temporary mitigations (e.g., JScript.dll ACL changes) are rolled back only after confirming the patch is applied.
• Test line-of-business applications that embed IE or rely on the scripting engine to ensure functionality after patching.
• Monitor web proxy and endpoint telemetry for exploitation attempts targeting JScript engine usage.

Key sources

• Microsoft Security Update Guide: CVE-2020-0674 (details impacted versions and patch availability).
• Microsoft Advisory ADV200001 (earlier guidance confirming active exploitation and recommending mitigations).