Dealing with Double Kill: The Latest Microsoft Zero-Day

Microsoft’s Patch Tuesday update in May addressed several critical flaws in Windows. One of the key vulnerabilities was a zero-day exploited in the wild affecting the VBScript engine (CVE-2018-8174). This vulnerability, dubbed Double Kill, allowed attackers to compromise Windows machines through Internet Explorer.

Diving into Double Kill

Discovered by researchers at Qihoo 360 Core Security and Kaspersky Labs, Double Kill is a use-after-free vulnerability in the VBScript Engine. It affects several Windows OS versions, among them Windows 7, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.

VBScript is a Windows-specific, client-side scripting language that is similar to JavaScript. Environments that support VBScript include IIS (Internet Information Server), WSH (Windows Script Host), .NET, Microsoft Office products (such as Word and Excel), and IE (Internet Explorer).

The vulnerability allows an attacker to force an IE load to exploit the flaw on an unpatched machine even when Chrome or Firefox has been configured as the default browser.

The Attack Surface

This VBScript vulnerability can be exploited in multiple ways by attackers:

  1. Web-based attacks: Specially crafted websites can exploit the vulnerability via Internet Explorer or the attack can be delivered via websites hosting user-provided content or advertising (malvertising).
  2. Microsoft Office documents: Attackers can also embed an ActiveX control marked “safe for initialization” within Microsoft Office documents that host an IE rendering engine.
  3. Spear-phishing emails: Attackers can use a combination of the methods above with email –  delivering a malicious document or malicious URL to initiate a targeted attack.

This vulnerability demands swift attention because it enables attackers to remotely take control of infected systems, which can result in ransomware installation, eavesdropping, and data manipulation attacks.

While nation-state actors may have already started exploiting this zero-day, the exploit will eventually make its way into the vast set of exploit kits used by attackers. And given the prevalence of the Windows OS, almost every organization is vulnerable to this threat. If WannaCry is any indication of the breadth of damage (300,000+ machines infected), this threat definitely warrants swift and comprehensive action by organizations to control damage.

The good news: Microsoft is increasingly moving toward deprecating VBScript. However, given the common presence in many organizations of at least several older machines and older browsers and the speed / limitations of updates, your organization may still have vulnerable machines. It’s always good to ensure that your security covers all these cases too.

What can you do?

Of course, ensure you’re aware of this issue and patch your end-user systems and servers at the earliest opportunity. Also, understand the breadth of BYOD users and ensure their systems are appropriately patched.

Further, look at new technologies, such as Remote Browsers, that can help reduce your attack surface in a highly efficient manner.

Gartner identifies Remote Browsers, also known as isolation, as one of the most significant ways an enterprise can reduce the ability of web-based attacks to cause damage. Attackers are likely to bypass most detection approaches at some point and need only to succeed once to cause damage! Therefore, the best way to secure an organization is to isolate the end-user browsing activities from the end-user devices and enterprise networks. This will limit the attack surface and nullify the impact of an attack.

Gartner estimates that isolation can lead to a 70% reduction in attacks compromising end-user systems.

Learn more about isolation at www.cyberinc.com.

Rajiv Raghunarayan

Vice President - Products

Your email address will not be published. Required fields are marked *