CVE-2021-27085

What is Internet Explorer's Scripting Engine?

Internet Explorer's scripting engine (JScript9.dll for modern JavaScript, jscript.dll for legacy JScript, and VBScript.dll for VBScript) processes dynamic web content embedded in HTML pages. The scripting engine executes attacker-controlled scripts in the context of the browser process and interacts deeply with MSHTML (Trident) — the DOM, page objects, and browser state. Vulnerabilities in the scripting engine occur when script execution causes memory corruption — such as type confusion, use-after-free, or buffer overflows in the script interpreter — enabling an attacker's JavaScript or VBScript to gain arbitrary code execution in the IE process. Because IE's scripting engine and MSHTML share the same process and memory space, scripting engine vulnerabilities and MSHTML memory corruption vulnerabilities have equivalent exploitability.

Overview

CVE-2021-27085 is a remote code execution vulnerability in Internet Explorer's scripting engine component. A remote attacker can exploit this by enticing a user to visit a malicious web page in Internet Explorer — the crafted page triggers a memory corruption vulnerability in the scripting engine, enabling code execution in the IE process. The identical CVSS profile (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L) to CVE-2021-26411 (the March 2021 Lazarus Group MSHTML UAF) indicates this was a concurrent zero-day in IE patched in the same Patch Tuesday cycle. CISA added CVE-2021-27085 to the KEV catalog in November 2021, confirming active exploitation.

Affected Versions

Technical Details

• Attack vector: Network-accessible, no authentication required, low complexity — a user visiting a malicious URL in IE triggers the vulnerability without additional interaction beyond clicking a link
• Scripting engine exploitation: Memory corruption in the IE scripting engine (JScript9/jscript/VBScript) creates a heap corruption primitive; by controlling the freed or corrupted memory's contents through further script execution, an attacker achieves type confusion and code execution in the IE process
• Scope: Changed (S:C): Consistent with IE's Protected Mode security boundary being bypassable, or with the scripting engine executing in a context that can affect resources outside the browser's normal scope — a known characteristic of IE's lower isolation model compared to modern browsers
• Impact profile C:L/I:H/A:L: The relatively low confidentiality and availability scores with high integrity reflect that the primary exploit value is arbitrary code execution (high integrity impact) rather than data exfiltration; code execution with integrity impact is the standard IE exploitation outcome
• MSHTML ecosystem: CVE-2021-27085 is part of a set of IE zero-days (alongside CVE-2021-26411) patched in March 2021, reflecting continued active exploitation of IE and MSHTML-based attack surfaces by multiple threat actors

Discovery

Reported to Microsoft and patched in March 2021 Patch Tuesday alongside CVE-2021-26411. The simultaneous disclosure of two IE vulnerabilities in the same Patch Tuesday cycle reflects the depth of exploitation activity targeting IE/MSHTML in early 2021. CISA's November 2021 KEV addition confirms ongoing exploitation of unpatched IE installations.

Exploitation Context

Internet Explorer zero-days are valuable for targeted attacks because IE is embedded in Windows and used by legacy enterprise applications even after Microsoft deprecated it. CVE-2021-27085 provides code execution via a drive-by web page — the same delivery mechanism as CVE-2021-26411, enabling attacks via phishing links, watering holes, or documents that load IE-rendered content. The KEV addition groups CVE-2021-27085 with other March 2021 IE vulnerabilities, indicating it was exploited by similar threat actors targeting enterprise Windows users who relied on IE or MSHTML-based applications.

Remediation

1. Apply March 2021 Patch Tuesday updates — patches CVE-2021-27085 in Internet Explorer and the MSHTML/scripting engine
2. Disable Internet Explorer on Windows 10 and later via Windows Features (optionalfeatures.exe → uncheck Internet Explorer 11); note this does not remove the scripting engine DLLs, which still require patching via Windows Update
3. Keep Windows fully updated — MSHTML and scripting engine DLLs are patched via Windows Update even after IE is disabled
4. Block IE from being launched via Group Policy — configure the "Turn off Internet Explorer 11 as a standalone browser" policy to prevent IE from being used for web content
5. Apply Application Control policies (AppLocker/WDAC) to prevent unexpected execution of JScript9.dll or VBScript.dll from untrusted contexts
6. Transition any applications using MSHTML WebBrowser control to the WebView2 (Chromium-based) control, which is actively maintained and patched