Hackers are still finding - and using - flaws in Internet Explorer

The hackers delivered an IE exploit in an emailed Office document, which renders web content in IE even if it is not the default browser.
Written by Liam Tung, Contributing Writer
Image: Getty

Google has filled in the blanks about a curious zero-day flaw that Microsoft addressed in its November Patch Tuesday. 

The remote code execution flaw, tracked as CVE-2022-41128, was in one of its Windows JavaScript scripting languages, JScript9 – the JavaScript engine used in IE 11. The bug affected Windows 7 through to Windows 11, as well as Windows Server 2008 through 2022. 

Microsoft ended support for IE 11 on June 15, 2022, and has been encouraging customers to use Edge instead with 'IE mode'. But Google has found this type of IE bug continues to be exploited in Office documents because the IE engine remains integrated with Office.  

And who were the actors behind the newly discovered exploit for legacy IE 11?

According to TAG members Clement Lecigne (who reported the flaw to Microsoft) and Benoit Sevens, the IE exploit was developed by North Korean actors APT37.

Also: Cybersecurity jobs: Five ways to help you build your career

The attackers distributed the IE exploit in an Office document because, as TAG explains, Office renders HTML content using IE. IE exploits have been delivered via Office since 2017 for this reason because, even if Chrome is set as the default, Office defaults to the IE engine when it encounters HTML or web content.

"Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape," the threat analysts note. 

They also note that this flaw is very similar to the bug, CVE-2021-34480, that Google Project Zero (GPZ) found last year in IE 11's JIT compiler. GPZ's analysis of the new IE flaw also traced it to IE's JIT compiler. 

At the time, GPZ researcher Ivan Fratric noted that, although Microsoft had ended support for IE 11, IE (or the IE engine) was still integrated into other products, most notably, Microsoft Office. Due to that still-existing integration, Fratric wondered how long it would take before attackers stopped abusing it. 

TAG notes that in a typical scenario, when an IE exploit is delivered in an Office document, the user would have to disable Office Protected View before the remote RTF is fetched.

Also: What is a CISO? Everything you need to know about the Chief Information Security Officer role

TAG didn't find the final payload for this campaign. However, TAG noted that APT37 (also known as ScarCruft and Reaper) has used several implants like ROKRAT, BLUELIGHT, and DOLPHIN.

"APT37 implants typically abuse legitimate cloud services as a C2 channel and offer capabilities typical of most backdoors," TAG notes. 

TAG also commended Microsoft for the quick patch, which it delivered eight days after Google first analyzed the malicious Office file from VirusTotal.

Editorial standards