Internet Explorer zero-day alert: Attackers hitting unpatched bug in Microsoft browser

Microsoft is being urged to rush out a patch for a bug in Internet Explorer that's being used in attacks.
Written by Liam Tung, Contributing Writer

Video: AMD and Microsoft join forces to block Spectre attacks.

A well-resourced hacking group is using a previously unknown and unpatched bug in Internet Explorer (IE) to infect Windows PCs with malware.

Researchers at Qihoo 360's Core security unit say an advanced persistent threat (APT) group is using the IE vulnerability on a "global scale", which is being delivered to select targets via malicious Office documents loaded with what it calls a "double-kill" vulnerability.

Victims are required to open the Office document, which launches a malicious webpage in the background to deliver malware from a remote server.

According to the firm, the vulnerability affects the latest versions of IE and other applications that use the browser.

See: 20 pro tips to make Windows 10 work the way you want (free PDF)

The researchers say they have reported the issue to Microsoft and are also calling for an urgent patch.

The attack apparently also uses a publicly known User Account Control (UAC) bypass, along with file steganography. The company provided a rough outline of the attack in the diagram below.

Qihoo 360 Core

We asked Microsoft for a response to the IE attacks. Microsoft's answer didn't really give much away:

Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.

Previous and related coverage

Windows 10 security: Microsoft patches critical flaw in Windows Defender

Just scanning a specially-crafted file could lead to a totally compromised Windows machine.

Google's Project Zero exposes unpatched Windows 10 lockdown bypass

Google denies multiple requests by Microsoft for an extension to Project Zero's 90-day disclose-or-fix deadline.

Windows security: Microsoft issues Adobe patch to tackle Flash zero-day

Microsoft is protecting Windows users from a Flash Player flaw exploited by suspected North Korean hackers.

Microsoft patches Office zero-day used to spread FinSpy surveillance malware

The malware, often used by nation states, exploits a flaw in Office, and it's known to have targeted Russians.

Editorial standards