New Internet Explorer Zero-day remote code execution vulnerability has been discovered that allows an attacker could execute arbitrary code and take the complete control of the infected system.
Once the attacker successfully exploits this zero-day vulnerability then they could take control of an affected system and if the victims logged in with administrative user rights then the attacker can view, change, or delete data also they create a new account with full rights.
Same vulnerability used by APT Cyber groups exploited Windows Computers during it was unpatched by Microsoft.
This Zero-day vulnerability affected all the Windows OS versions, Windows Server 2008, Windows Server 2012.
An exploit that discovered from Virus total to trigger this Zero-day Vulnerability ( CVE-2018-8174)it has been analyzed using sandbox system and it successfully exploits fully patched version of Microsoft Word.
This vulnerability specifically existing in the VBScript engine and the way it handles objects in memory.
Cyber Criminals abuse the method called URL moniker to load an IE exploit in Word to perform a further attack and this is the first public exploit using this Technique.
This is one of the powerful technique to create a various exploit in future by cyber criminals and researchers believes that this technique will be heavily abused by attackers in the future.
How Does this Zero-day Vulnerability Works
An initially malicious sample that discovered from Virustotal has been analyzed through sandbox and discovered that it bypasses the fully patched version of MS word has been exploited.
An exploit is distributed through malicious Microsoft Word document and once it opens by the victims then it downloads the exploit as the second stage of HTML page containing VBScript code.
Initial Payload deliverable obfuscated Rich Text Format (RTF) document contains an exploit for Internet Explorer (IE) along with “nibble drop“ obfuscation technique with only one Object.
Deobfuscation of-the object data reveals an OLE object that contains a URL Moniker CLSID which helps to resemble an older vulnerability (CVE-2017-0199) by this Exploit.
Here Word will try to execute the file with the default file handler based on its attributes which allows an attacker to directly call ShellExecute and launch a payload.
After the further investigation, Kaspersky researchers conclude that the vulnerability is actually in VBScript, not in Microsoft Word and also said, This is the first time we’ve seen a URL Moniker used to load an IE exploit.
This technique allows one to load and render a web page using the IE engine, even if default browser on a victim’s machine is set to something different.
HTML page contains obfuscated both function names and integer values where the VB Script has been downloaded.
Later Exploit has been deobfuscated and researchers had a look on first function called (‘TriggerVuln’) in the deobfuscated version.
Following Proof-of-concept code will helps to trigger this vulnerability in IE browser.
Finally, Researchers conclude the Root cause of this vulnerability is Inside the VBScriptClass:: Release function, the reference count is checked only once, at the beginning of the function.
This exploit immediately shared the relevant information with Microsoft and they confirmed and fixed CVE-2018-8174.