A well-resourced hacking group is using a previously unknown and unpatched bug in Internet Explorer (IE) to infect Windows PCs with malware.
Researchers at Qihoo 360's Core security unit say an advanced persistent threat (APT) group is using the IE vulnerability on a "global scale", which is being delivered to select targets via malicious Office documents loaded with what it calls a "double-kill" vulnerability.
Victims are required to open the Office document, which launches a malicious webpage in the background to deliver malware from a remote server.
According to the firm, the vulnerability affects the latest versions of IE and other applications that use the browser.
The researchers say they have reported the issue to Microsoft and are also calling for an urgent patch.
The attack apparently also uses a publicly known User Account Control (UAC) bypass, along with file steganography. The company provided a rough outline of the attack in the diagram below.
We asked Microsoft for a response to the IE attacks. Microsoft's answer didn't really give much away:
Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.