[UPDATE] When we released this warning over a week ago, we suspected it might gain traction and become a bigger issue. As expected, Microsoft addressed this vulnerability on Patch Tuesday. Of the many items addressed in the patch, the most important fixes are around CVE-2018-8174. This CVE references a Windows VBScript engine remote code execution vulnerability – otherwise known as the Double Kill IE zero-day vulnerability.
Microsoft's legacy browser Internet Explorer (IE) has been used for almost three decades, but not without issues. IE has been so plagued with security problems that Microsoft built a new, more secure browser called Edge. But there are still some issues. Edge’s forward-leaning technology doesn’t support some of IE’s legacy capabilities. For that reason, IE still comes installed on all Windows operating systems. So, once again, IE has been exploited by attackers, as discovered and observed in the wild by the Chinese security firm Qihoo 360. They’re calling this new zero-day vulnerability Double Kill. The firm believes this is an advanced persistent threat (APT) aimed at achieving ongoing access to targeted systems.
Technical details and a POC have not been released at this time. However, Qihoo 360 has stated that Double Kill involves an IE vulnerability which uses Microsoft Word documents (usually sent as an email attachment) as the attack vector. Qihoo 360 also states that the document contains some unspecified sort of shellcode. Internet Explorer is somehow opened in the background processes, which leads to an executable program being downloaded and executed – without any visible warning to the user. Opening malicious documents with Double Kill allows attackers to control victims’ computers without their knowledge, making ransomware infection, eavesdropping and data leakage convenient and stealthy.
This vulnerability is being actively exploited. If a system is vulnerable, attackers may be able to remotely take over affected systems by executing malicious code remotely. There are currently two known methods to accomplish this – via a compromised website and by malicious Microsoft Office documents.
These types of attacks typically begin with spear phishing attempts, a type of email-spoofing attack that targets specific organizations or individuals. If successful, an individual may unknowingly activate malware embedded within attached Word documents, believing they are from a trusted source. In many attack scenarios, attackers get in and get out quickly to avoid detection. With an APT, the goal of the attacker is to achieve ongoing access.
This vulnerability in the VBScript engine is similar to previous browser vulnerabilities. Analysis indicates the most prominent method of attack involves distribution of an Office document, likely Word, with an embedded webpage.
The Word document in question doesn't automatically download to the computer, and requires interaction on behalf of the user. Users must be on IE, and they must open the infected file, which would then launch a malicious webpage. The malware then uses a user account control bypass and file steganography, or what is called the embedding of a file, message or image within another file, message or image.
Attackers may also take advantage of a method that embeds an ActiveX control which has been marked as "safe for initialization" into a Microsoft Office document or application that hosts an IE rendering engine. Once the document is opened, the code execution occurs. This is extremely dangerous. It not only acts as a browser vulnerability, but also affects ActiveX controls and embedded webpages in Office documents. Until this is patched, attackers can potentially force IE to load, even if it’s not the default browser.
Urgently required actions
Stop using IE. Microsoft has not released a statement or any patches at this time. If, for some reason, you need to continue using IE, follow IT security best practices.
Microsoft May 2018 Patch Tuesday fixes 67 security issues, including the IE Double Kill vulnerability and other critical security concerns. Apply this patch as soon as possible, as the patch addresses a second zero-day (CVE-2018-8120), a privilege escalation vulnerability in the Win32k component.
Tenable® has developed several Nessus® and NNM plugins for IE, which can help you discover, identify and assess potential vulnerabilities in the legacy browser.
Get more information:
- Qihoo 360 blog post
- Learn more about Tenable.io®, the first Cyber Exposure platform for holistic management of your modern attack surface
- Get a free 60-day trial of Tenable.io Vulnerability Management