Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Why Are You Still Using IE? Double Kill Is Just the Latest Issue

[UPDATE] When we released this warning over a week ago, we suspected it might gain traction and become a bigger issue. As expected, Microsoft addressed this vulnerability on Patch Tuesday. Of the many items addressed in the patch, the most important fixes are around CVE-2018-8174. This CVE references a Windows VBScript engine remote code execution vulnerability – otherwise known as the Double Kill IE zero-day vulnerability.

Microsoft's legacy browser Internet Explorer (IE) has been used for almost three decades, but not without issues. IE has been so plagued with security problems that Microsoft built a new, more secure browser called Edge. But there are still some issues. Edge’s forward-leaning technology doesn’t support some of IE’s legacy capabilities. For that reason, IE still comes installed on all Windows operating systems. So, once again, IE has been exploited by attackers, as discovered and observed in the wild by the Chinese security firm Qihoo 360. They’re calling this new zero-day vulnerability Double Kill. The firm believes this is an advanced persistent threat (APT) aimed at achieving ongoing access to targeted systems.

Impact assessment

Technical details and a POC have not been released at this time. However, Qihoo 360 has stated that Double Kill involves an IE vulnerability which uses Microsoft Word documents (usually sent as an email attachment) as the attack vector. Qihoo 360 also states that the document contains some unspecified sort of shellcode. Internet Explorer is somehow opened in the background processes, which leads to an executable program being downloaded and executed – without any visible warning to the user. Opening malicious documents with Double Kill allows attackers to control victims’ computers without their knowledge, making ransomware infection, eavesdropping and data leakage convenient and stealthy.

This vulnerability is being actively exploited. If a system is vulnerable, attackers may be able to remotely take over affected systems by executing malicious code remotely. There are currently two known methods to accomplish this – via a compromised website and by malicious Microsoft Office documents.

Vulnerability details

These types of attacks typically begin with spear phishing attempts, a type of email-spoofing attack that targets specific organizations or individuals. If successful, an individual may unknowingly activate malware embedded within attached Word documents, believing they are from a trusted source. In many attack scenarios, attackers get in and get out quickly to avoid detection. With an APT, the goal of the attacker is to achieve ongoing access.

This vulnerability in the VBScript engine is similar to previous browser vulnerabilities. Analysis indicates the most prominent method of attack involves distribution of an Office document, likely Word, with an embedded webpage.

Exploitation

The Word document in question doesn't automatically download to the computer, and requires interaction on behalf of the user. Users must be on IE, and they must open the infected file, which would then launch a malicious webpage. The malware then uses a user account control bypass and file steganography, or what is called the embedding of a file, message or image within another file, message or image.

Attackers may also take advantage of a method that embeds an ActiveX control which has been marked as "safe for initialization" into a Microsoft Office document or application that hosts an IE rendering engine. Once the document is opened, the code execution occurs. This is extremely dangerous. It not only acts as a browser vulnerability, but also affects ActiveX controls and embedded webpages in Office documents. Until this is patched, attackers can potentially force IE to load, even if it’s not the default browser.

Urgently required actions

Stop using IE. Microsoft has not released a statement or any patches at this time. If, for some reason, you need to continue using IE, follow IT security best practices.

Microsoft May 2018 Patch Tuesday fixes 67 security issues, including the IE Double Kill vulnerability and other critical security concerns. Apply this patch as soon as possible, as the patch addresses a second zero-day (CVE-2018-8120), a privilege escalation vulnerability in the Win32k component.

Tenable® has developed several Nessus® and NNM plugins for IE, which can help you discover, identify and assess potential vulnerabilities in the legacy browser.

Get more information:

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security