Follow-up articles to Patch Tuesday just about always contain an explanation of why you should patch (see below). Given that, even if no attack was seen in the wild before the patch was issued, exploits will be coming thick and fast once the bad guys reverse-engineer the patches then why don’t we drop all the effort to explain ‘why patch this time’ and move to ‘why patch all the time’. I advise patching as soon as possible and accepting the risk that something might break…:
This month’s Patch Tuesday bundle of updates from Microsoft included a fix for a critical vulnerability that has been actively exploited by at least one hacking gang in targeted attacks.
The vulnerability, dubbed CVE-2018-8174, is a remote code execution flaw in the Windows VBScript Engine. It affects the latest version of Internet Explorer and any other applications that rely upon IE’s web-rendering code.
It’s a highly critical vulnerability, for if the targeted user is logged in with admin rights, it could allow an attacker to take control of affected systems via a backdoor, install malicious code, or even create brand new users with full access rights.
In its advisory, Microsoft describes how an attacker could create a boobytrapped webpage or website ad containing exploit code and trick a user to visit it with Internet Explorer.
But how would a user be lured into visiting the malicious webpage in the first place?
One well-worn technique beloved by online criminals is to send the intended target a carefully-crafted email containing a dangerous link and hope that the victim clicks on the link with Internet Explorer.
However, in this case, as researchers at Kaspersky have described, it appears that a malicious Rich Text Format (RTF) document containing an OLE object was being used, one which was capable of successfully exploiting a fully-patched version of Microsoft Word:
The infection chain consists of the following steps:
- A victim receives a malicious Microsoft Word document.
- After opening the malicious document, a second stage of the exploit is downloaded; an HTML page containing VBScript code.
- The VBScript code triggers a Use After Free (UAF) vulnerability and executes shellcode.
Kaspersky security researcher Anton Ivanov explained that the attack was crafted in this fashion to cunningly force Internet Explorer to execute even if the default browser configured to run on a targeted user’s computer was an alternative such as Google Chrome or Mozilla Firefox. This trick dramatically increases the potential size of the attack surface.
Chinese security researchers at Qihoo say that they first saw the zero-day vulnerability being exploited in attacks against Chinese trade agencies and related organisations on April 18, 2018. They quickly informed Microsoft of the problem.
Because of the nature of the targeted Chinese organisations and the sophistication of the attack, there has been much speculation online that the zero-day exploit may have been engineered by a state-sponsored hacking group.
Whether the malware attack was perpetrated by an intelligence agency or not, it’s clear that businesses and home users should patch their computer systems as a matter of priority. After all, who knows how long it might be until other online attackers start to use the same techniques?
Kaspersky researcher Ivanov’s echoes these sentiments in his advice to computer users and those responsible for protecting business networks:
“We urge organizations and private users to install recent patches immediately, as it won’t be long before exploits to this vulnerability make it to popular exploit kits and will be used not only by sophisticated threat actors but also by standard cybercriminals.”