Sunday, July 14, 2024

Root Cause of Powerful Internet Explorer (IE) Zero-day Vulnerability that Allow Attackers to Perform Remote Hacking

New Internet Explorer Zero-day remote code execution vulnerability has been discovered that allows an attacker could execute arbitrary code and take the complete control of the infected system.

Once the attacker successfully exploits this zero-day vulnerability then they could take control of an affected system and if the victims logged in with administrative user rights then the attacker can view, change, or delete data also they create a new account with full rights.

Same vulnerability used by APT Cyber groups exploited Windows Computers during it was unpatched by Microsoft.

This Zero-day vulnerability affected all the Windows OS versions, Windows Server 2008, Windows Server 2012.

An exploit that discovered from Virus total to trigger this Zero-day Vulnerability ( CVE-2018-8174)it has been analyzed using sandbox system and it successfully exploits fully patched version of Microsoft Word.

This vulnerability specifically existing in the VBScript engine and the way it handles objects in memory.

Cyber Criminals abuse the method called URL moniker to load an IE exploit in Word to perform a further attack and this is the first public exploit using this Technique.

This is one of the powerful technique to create a various exploit in future by cyber criminals and researchers believes that this technique will be heavily abused by attackers in the future.

How Does this Zero-day Vulnerability Works

An initially malicious sample that discovered from Virustotal has been analyzed through sandbox and discovered that it bypasses the fully patched version of MS word has been exploited.

An exploit is distributed through malicious Microsoft Word document and once it opens by the victims then it downloads the exploit as the second stage of HTML page containing VBScript code.

Initial Payload deliverable obfuscated  Rich Text Format (RTF) document contains an exploit for Internet Explorer (IE) along with  nibble drop“ obfuscation technique with only one Object.

Deobfuscation of-the object data reveals an OLE object that contains a URL Moniker CLSID which helps to resemble an older vulnerability (CVE-2017-0199) by this Exploit.

Here Word will try to execute the file with the default file handler based on its attributes which allows an attacker to directly call ShellExecute and launch a payload.

After the further investigation, Kaspersky researchers conclude that the vulnerability is actually in VBScript, not in Microsoft Word and also said, This is the first time we’ve seen a URL Moniker used to load an IE exploit.
 This technique allows one to load and render a web page using the IE engine, even if default browser on a victim’s machine is set to something different.

HTML page contains obfuscated both function names and integer values where the VB Script has been downloaded.

                                                            Obfuscated IE exploit

Later Exploit has been deobfuscated and researchers had a look on first function called (‘TriggerVuln’) in the deobfuscated version.

Following Proof-of-concept code will helps to trigger this vulnerability in IE browser.

                                                   CVE-2018-8174 Proof Of Concept

Finally, Researchers conclude the Root cause of this vulnerability is Inside the VBScriptClass:: Release function, the reference count is checked only once, at the beginning of the function.

   A root cause of CVE-2018-8174 – ‘refCount’ being checked only once, before TerminateClass function

This exploit immediately shared the relevant information with Microsoft and they confirmed and fixed CVE-2018-8174.


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles