This month’s Patch Tuesday bundle of updates from Microsoft included a fix for a critical vulnerability that has been actively exploited by at least one hacking gang in targeted attacks.
The vulnerability, dubbed CVE-2018-8174, is a remote code execution flaw in the Windows VBScript Engine and affects the latest version of Internet Explorer and any other applications that rely upon the IE’s web-rendering code.
It’s a highly critical vulnerability because, if the targeted user is logged in with admin rights, it could allow an attacker to take control of affected systems via a backdoor, install malicious code, or even create brand new users with full access rights.
In its advisory, Microsoft describes how an attacker could create a boobytrapped webpage or website ad containing exploit code, and trick a user to visit with Internet Explorer.
But how would a user be lured into visiting the malicious webpage in the first place?
One well-worn technique beloved by online criminals is to send the intended target a carefully-crafted email containing a dangerous link, and hope that the victim clicked on the link with Internet Explorer.
However, in this case, as researchers at Kaspersky have described, it appears that a malicious Rich Text Format (RTF) document containing an OLE object was being used, capable of successfully exploiting a fully-patched version of Microsoft Word:
The infection chain consists of the following steps:
- A victim receives a malicious Microsoft Word document.
- After opening the malicious document, a second stage of the exploit is downloaded; an HTML page containing VBScript code.
- The VBScript code triggers a Use After Free (UAF) vulnerability and executes shellcode.
Kaspersky security researcher Anton Ivanov explained that the attack was crafted in this fashion to cunningly force Internet Explorer to execute, even if the default browser configured to run on (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Graham Cluley. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/zero-day-flaw-exploited-in-targeted-attacks-is-fixed-by-microsoft/