For those that remember, this is the Double Kill exploit that Qihoo 360 Core Security described late last month, but it now has an official designation: CVE-2018-8174. According to Microsoft, there is a flaw in the way that the VBScript engine that allows for remote code execution. Microsoft goes on to confirm the that is exploit is pretty nasty, writing:
An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
The bad news, however, is that this security flaw can force Internet Explorer to load — even if it is not the default browser — and that it is already being actively exploited.
“This is the first time we’ve seen a URL moniker used to load an IE exploit, and we believe this technique will be used heavily by malware authors in the future,” wrote security analysts from Kaspersky Labs. “This technique allows one to load and render a web page using the IE engine, even if the default browser on a victim’s machine is set to something different.”
“We expect this vulnerability to become one of the most exploited in the near future, as it won’t be long until exploit kit authors start abusing it in both drive-by via browser and spear-phishing via document campaigns.”
Microsoft is also taking this very seriously, writing, “The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.”
We should note that although Microsoft patched this exploit — and 66 others — on Patch Tuesday, it’s up to you as a user and for businesses to install the patch to protect systems. Given the seriousness of this exploit (and the tendency or some workers to haphazardly click on emails or attachments that they shouldn’t), these updates should be applied sooner rather than later.