{"id":12263,"date":"2018-05-10T13:10:03","date_gmt":"2018-05-10T21:10:03","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2018\/05\/10\/news-6032\/"},"modified":"2018-05-10T13:10:03","modified_gmt":"2018-05-10T21:10:03","slug":"news-6032","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/05\/10\/news-6032\/","title":{"rendered":"Internet Explorer zero-day: browser is once again under attack"},"content":{"rendered":"

Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 10 May 2018 19:58:00 +0000<\/strong><\/p>\n

In late April, two security companies (Qihoo360<\/a> and Kaspersky<\/a>) independently discovered a zero-day for Internet Explorer (CVE-2018-8174<\/a>), which was used in targeted attacks for espionage purposes. This marks two years since a zero-day has been found (CVE-2016-0189<\/a> being the latest one) in the browser that won’t die, despite efforts from Microsoft to move on to the more modern Edge.<\/p>\n

The vulnerability exists in the VBScript engine and how it handles memory objects. It will also affect IE11 even though VBScript is no longer supported<\/a>\u00a0by using the compatibility tag for IE10.<\/p>\n

The attack came via a Word document making use of\u00a0OLE autolink objects<\/a> to retrieve the exploit and shellcode from a remote server. However, it is important to note that it could very well have been executed by visiting a website instead.<\/p>\n

Perhaps one of the reasons why it was not used as a drive-by download attack may be related to the targets running another browser as their default (i.e. Chrome) where the exploitation would never occur. However, by tricking their victims to open an Office document, the attackers can force Internet Explorer to load, thanks in part to the URL moniker<\/a> “feature.”<\/p>\n

\"\"<\/a><\/p>\n

Using rtfdump.py<\/a>, we see the call for an HTTP connection:<\/p>\n

python rtfdump.py -s 320 -H CVE-2018-8174.rtf<\/strong><\/em><\/p>\n

000014C0: 70 B2 86 8C 53 30 05 43 00 38 30 01 18 68 00 74 p\ufffd\ufffd\ufffdS0.C.80..h<\/span>.t<\/span>  000014D0: 00 74 00 70 00 3A 00 2F 00 2F 00 61 00 75 00 74 .t<\/span>.p<\/span>.:<\/span>.\/<\/span>.\/<\/span>.a<\/span>.u<\/span>.t<\/span>  000014E0: 00 6F 00 73 00 6F 00 75 00 6E 00 64 00 63 00 68 .o<\/span>.s<\/span>.o<\/span>.u<\/span>.n<\/span>.d<\/span>.c<\/span>.h<\/span>  000014F0: 00 65 00 63 00 6B 00 65 00 72 00 73 00 2E 00 63 .e<\/span>.c<\/span>.k<\/span>.e<\/span>.r<\/span>.s<\/span>..<\/span>.c<\/span>  00001500: 00 6F 00 6D 00 2F 00 73 00 32 00 2F 00 73 00 65 .o<\/span>.m<\/span>.\/<\/span>.s<\/span>.2<\/span>.\/<\/span>.s<\/span>.e<\/span>  00001510: 00 61 00 72 00 63 00 68 00 2E 00 70 00 68 00 70 .a<\/span>.r<\/span>.c<\/span>.h<\/span>..<\/span>.p<\/span>.h<\/span>.p<\/span>  00001520: 00 3F 00 77 00 68 00 6F 00 3D 00 37 00 00 00 00 .?<\/span>.w<\/span>.h<\/span>.o<\/span>.=<\/span>.7<\/span>....<\/pre>\n
\"\"<\/a><\/p>\n
The flaw abused by this vulnerability relates to a reference count that is checked at the beginning of the function but not after, despite the chance of it being incremented along the way. This allows an attacker to execute malicious shellcode and eventually load the malware binary of his choice.<\/p>\n
We tested this Use After Free (UAF) vulnerability with the publicly available PoC running Internet Explorer 11 under Windows 10. The browser crashes once it loads the VBS code, but with\u00a0Malwarebytes<\/a>, the attack vector is mitigated:<\/p>\n
\"\"<\/a><\/p>\n
Microsoft has released a patch<\/a> for this vulnerability, and we strongly advise to apply it, as it is just a matter of time before other threat actors start leveraging this new opportunity in spam or exploit kit campaigns.<\/p>\n
We will update this blog if we obtain more information about this vulnerability being used widely, and in particular, if a full working exploit is available.<\/p>\n
The post Internet Explorer zero-day: browser is once again under attack<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: J\u00e9r\u00f4me Segura| Date: Thu, 10 May 2018 19:58:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Internet Explorer is yet again leveraged for a zero-day exploit delivered via Office document\u2014the first zero-day observed for IE in over two years.<\/p>\n
Categories: <\/p>\n
This remote request will download a VBS script. A Proof of Concept adapted from the blog<\/a> that was published by Kaspersky can be seen below:<\/p>\n