Microsoft Patch Tuesday update in May addressed several critical flaws in the Windows. One of the key vulnerabilities was a zero-day exploited in the wild affecting the VBScript engine (CVE-2018-8174). This vulnerability, dubbed Double Kill, allowed attackers to compromise Windows machines through Internet Explorer.
Diving into Double Kill
Discovered by researchers at Qihoo 360 Core Security and Kaspersky Labs, Double Kill is a use-after-free vulnerability in the VBScript Engine. It affects several Windows OS versions such as Windows 7, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.
The vulnerability allows an attacker force an IE load to exploit the flaw on an unpatched machine even when Chrome or Firefox are configured as the default browser.
The exploit leverages in-memory execution to avoid leaving any trace on hard drives and also uses a known user account control bypass to steal administrator privileges.
Most Anti-Virus engines can easily be bypassed by such as threat! And if delivered via well-known websites, this can easily bypass firewalls and secure web gateways too!
The Attack Surface
This VBScript vulnerability can be exploited in multiple ways by attackers:
- Web-based attacks: Specially crafted websites can exploit the vulnerability via Internet Explorer or the attack can also be delivered via websites hosting user-provided content or advertising (malvertising)
- Microsoft Office documents: Attackers can also embed ActiveX control marked ‘safe for initialization’ within Microsoft Office documents that hosts an IE rendering engine
- Spear-phishing emails: Attackers can use a combination of the methods above with email – to deliver an malicious document or malicious URL, to initiate a targeted attack
This vulnerability demands swift attention since it enables attackers to remotely take control of infected systems, which could result in installing ransomware, eavesdropping, and data manipulation attacks.
While nation-state actors may have already started exploiting this zero-day, the exploit will indeed make its way into the vast set of exploit kits used by attackers. And given the prevalence of the Windows, almost every organization is vulnerable to this threat. If WannaCry is any indication of the breadth of damage (300,000+ machines infected), this definitely warrants swift and comprehensive action by organizations to control damage.
The good news: Microsoft is increasingly moving towards deprecating VBScript. However, given several older machines, older browsers and speed / limitations of updates, your organization may still have several vulnerable machines. It’s always good to ensure your security covers all these cases too.
What can you do?
Of course, ensure you’re aware of this issue and patch your end-user systems and servers at the earliest. Also understand the breadth of BYOD users and ensure their systems are appropriately patched.
Also look at new technologies, such as Remote Browsers, that can help reduce your attack surface in a highly efficient manner.
Gartner identifies Remote Browsers, also known as isolation, as one of the most significant ways an enterprise can reduce the ability of web-based attacks to cause damage. Attackers are likely bypass most detection approaches at some point and they only need to succeed once to cause damage! Therefore, the best way to secure an organization is to isolate the end-user browsing activities from the end user devices and enterprise networks to limit the attack surface and nullify the impact of an attack.
Gartner estimates that isolation can lead to 70% reduction in attacks compromising end-user systems.
Learn more about isolation at www.cyberinc.com.