Microsoft's Patch Tuesday for May 2018 included a fix for an Internet Explorer zero-day vulnerability that was exploited in the wild last month.
The critical vulnerability in the Windows VBScript Engine, which affects Internet Explorer, as well as other Microsoft products, allows remote code execution on affected systems. An exploit known as Double Kill was reported by researchers at Chinese cybersecurity vendor Qihoo 360 in April; the Qihoo 360 Core Security research team reported an advanced persistent threat (APT) campaign was actively exploiting the Internet Explorer zero-day.
The Qihoo 360 Core Security team described how the threat actors embedded malicious websites within Microsoft Office documents; once the documents are opened, the Double Kill exploit activates and enables the threat actors to deploy additional malicious code via remote servers. While the researchers didn't attribute the Double Kill exploit to a specific group or nation-state or offer a motive, the Qihoo 360 report said the attack can be difficult to detect. The exploit uses in-memory execution to avoid leaving any trace on hard drives and also uses a known user account control bypass to steal administrator privileges.
"In recent years, we have discovered a rising trend that Office documents have taken the center stage of APT attacks," Qihoo 360 researchers wrote in a blog post. "Opening any malicious documents with 'double kill' allows attackers to control victims' computers without their knowledge, making ransomware infection, eavesdropping and data leakage convenient and stealthy."
Along with Office documents, Microsoft said the vulnerability, CVE-2018-8174, could be exploited in any application that uses the Internet Explorer engine by embedding an ActiveX control marked "safe for initialization" in the app. Chris Goettl, director of product management at Ivanti, warned that websites accepting or hosting user-generated content or ads could also be used to exploit the vulnerability.
Microsoft credited the vulnerability to several members of the Qihoo 360 Core Security, as well as two members of Kaspersky Lab. In addition to patching the Internet Explorer zero-day, Microsoft addressed another vulnerability that was under attack: a privilege elevation vulnerability, discovered by ESET senior malware researcher Anton Cherepanov, that involves Win32K component that fails to properly handle objects in memory.
The Win32K vulnerability, which affects older OSes such as Windows 7 and Windows Server 2008, enables attackers to run arbitrary code in kernel mode. The flaw, CVE-2018-8120, has been exploited in the wild, but neither Microsoft nor ESET has provided details about the exploitation.
Microsoft's May Patch Tuesday also provided two public disclosures for new vulnerabilities, including an information disclosure vulnerability in the Windows kernel, and privilege elevation bug in Windows Image. Neither vulnerability was exploited in the wild.