BD is aware of and currently monitoring a Microsoft vulnerability, which was announced on January 21, 2020 and affects Internet Explorer. This third-party vulnerability, which Microsoft corrected with their February patch release, is not specific to BD or our products. Additionally, we have not received any reports regarding this vulnerability being exploited on BD products.
CVE-2020-0674 is a remote code execution vulnerability that exists in the way that the scripting engine handles objects in memory in Internet Explorer. This vulnerability affects Internet Explorer 9, 10, and 11 which Windows 7, 8, 10, and Windows Server 2008 R2, 2012, 2016, and 2019 utilize. The security patch, made available by Microsoft, addresses the vulnerability by modifying how the script engine handles objects in memory.
This vulnerability could cause memory corruption and could allow an unauthorized user to execute custom code that would appear to come from the authorized account. If successfully exploited, an unauthorized user would be able to gain the same user rights as a logged in user. This vulnerability can be exploited through a web-based attack scenario if a user browsed to a malicious website through Internet Explorer.
BD is currently working to test and validate the Microsoft patch for BD products that use the affected third-party components. Please see the Product Security Patching website for all approved product security patching notifications. Additionally, we recommend the following compensating controls for customers using BD products that utilize Internet Explorer 9, 10, and 11.
After further assessment, BD identified additional products in scope of this vulnerability. BD continues to test and validate the Microsoft patch for BD products using Internet Explorer 9, 10, and 11. For all approved patching notifications, please see the Product Security Patch website.
BD has not received any reports of this third-party Microsoft vulnerability being exploited on BD products. The product list below is available to customers to help identify existing BD products that utilize Internet Explorer 9, 10, and 11. The list provided below is not comprehensive and may be updated as more products are identified. It does not indicate the patch or device status.