News Categories
RSS Feed
News
Jan
22
Important notice to M-Files customers about Microsoft IE vulnerability (UPDATED)
Posted by Sakari Heinonen (M-Files) on 22 January 2020 09:48 AM

UPDATE February 7th:

This is an update to the original statement at the end of this article:

Concerning "Important notice to M-Files customers about Microsoft IE vulnerability" and Microsoft's Security Advisory ADV200001, we would like to inform that a solution is going to be available in the February 2020 release of M-Files.

The February 2020 release of M-Files and later versions are now compatible with systems that have the Microsoft Security Advisory ADV200001 workaround implemented on them.

Starting from the February 2020 release of M-Files, M-Files Desktop automatically switches to using a more recent official Microsoft scripting engine (jscript9.dll) if the default official scripting engine (jscript.dll) is unavailable. According to the Microsoft Edge Team, this change should retain full backward compatibility. With this change in M-Files Desktop in the February 2020 release of M-Files (20.2), M-Files Desktop will continue to work even if you restrict access to jscript.dll as instructed in Microsoft's Security Advisory ADV200001 at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200001. After upgrading to the February 2020 release of M-Files, you can apply the workaround described in ADV200001 without impacting M-Files Desktop functionality.

M-Files Online customers will get the update automatically so you will not need to do anything. M-Files 2018 customers should go to the Update page at https://www.m-files.com/update-mfiles to get the latest version. Please contact technical support for any further information or help.

The original statement from 22nd of January 2020:

---------------

Microsoft has published a Security Advisory on January 17, 2020 about a vulnerability in a script engine used by Internet Explorer (%windir%\...\jscript.dll), used by M-Files by default. We have investigated the situation and the implications on M-Files, and have the following information and advice for M-Files users.

The likely exploitation of the CVE-2020-0674 vulnerability (jscript.dll vulnerability) is that a user who uses Internet Explorer visits a web site that contains malicious content that forces Internet Explorer to load the jscript.dll script engine and additionally contains malicious code that takes advantage of the vulnerability. If your users are not using Internet Explorer, the likelihood of an exploit is not high. There may be other ways to exploit the vulnerability even in such a case, but you are avoiding the typical exploit by not using Internet Explorer.

M-Files Desktop uses Windows Script Host, which uses jscript.dll. Even though M-Files Desktop uses the Microsoft component jscript.dll that has a vulnerability, we are not aware of a possibility of exploiting the vulnerability with M-Files Desktop. M-Files Desktop loads and executes only trusted code using jscript.dll, not arbitrary code or arbitrary web site content. Thus, you are not exposed to the known vulnerability if you continue to use M-Files Desktop.

Microsoft has advised that in order to mitigate the vulnerability in jscript.dll, customers can revoke access to the jscript.dll file. However, Microsoft is noting that this will likely break some applications that depend on jscript.dll. M-Files Desktop depends on jscript.dll and revoking access to jscript.dll causes M-Files Desktop not to be functional.

M-Files is working in cooperation with Microsoft to provide a permanent solution to the issue caused by the vulnerability in the Microsoft component jscript.dll. Until a permanent solution is available, we recommend the following workarounds:

A) Do not apply the mitigation steps provided by Microsoft. Instead, advise your end users to not use Internet Explorer. The users can continue to use M-Files Desktop. Note that there is no guarantee that the vulnerability in jscript.dll could not be exploited in some other way, but we believe that avoiding the use of Internet Explorer is currently a safe enough workaround and enables you to continue using M-Files Desktop.

OR

B) Apply the mitigation steps provided by Microsoft, which will make M-Files Desktop non-functional. Use M-Files Web and M-Files Mobile until either Microsoft provides a fixed version of jscript.dll or another permanent solution from Microsoft or M-Files becomes available.

M-Files is working in cooperation with Microsoft to provide a permanent solution to the issue as soon as possible. The likely permanent solutions include receiving a fixed version of jscript.dll from Microsoft or modifying the M-Files Desktop application to use an alternative script engine instead of Microsoft's jscript.dll. We estimate that a permanent solution could be made available by January 31, 2020, but we cannot guarantee this because we are still in the early stages of investigation.

Please contact Customer Support if you have any further questions about this topic

----------

Thank you,

M-Files Team


Help Desk Software by Kayako case