Video: Microsoft's reverse engineering unveils secrets of FinFisher government spyware.
Microsoft's Patch Tuesday update addresses a critical flaw in the Windows VBScript engine that attackers are using to compromise Windows machines through Internet Explorer.
The patch follows an alarm by researchers at Qihoo 360 Core Security in April that well-resourced hackers were using a then suspected IE zero-day flaw to infect Windows PCs on a "global scale".
The IE attack, dubbed 'Double Kill', was delivered via Office documents that open a malicious webpage in the background.
See: Special report: Cybersecurity in an IoT and mobile world (free PDF)
In an advisory crediting Qihoo 360 Core Security researchers and Kaspersky Lab malware analysts for discovering a critical bug tagged as CVE-2018-8174, Microsoft details a remote code execution flaw residing not in Internet Explorer but the Windows VBScript engine. However, it also explains the bug can be exploited through Internet Explorer.
Microsoft hasn't confirmed this is the bug reported by Qihoo 360 Core Security but notes the flaw is being exploited in the wild.
"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website," Microsoft notes.
"An attacker could also embed an ActiveX control marked 'safe for initialization' in an application or Microsoft Office document that hosts the IE rendering engine."
Observed attacks have started with a malicious Word document, which when opened downloads an exploit written in VBScript that's hosted on a webpage, according to malware analysts at Kaspersky Lab.
The analysts are also confident the exploit they found is the same as the Double Kill attack Qihoo 360 Core Security reported.
While the zero-day attacks are likely to be the work of state-sponsored attackers, Kaspersky Lab predicts it will become popular with cybercriminals as part of an exploit kit's arsenal for compromising Windows PCs in web-based attacks.
That's because the technique allows an attacker to force IE to load and exploit the flaw on an unpatched machine even if victims have set Chrome or Firefox as the default browser.
"Despite a Word document being the initial attack vector, the vulnerability is actually in VBScript, not in Microsoft Word. This is the first time we've seen a URL moniker used to load an IE exploit, and we believe this technique will be used heavily by malware authors in the future. This technique allows one to load and render a web page using the IE engine, even if the default browser on a victim's machine is set to something different," the analysts said.
"We expect this vulnerability to become one of the most exploited in the near future, as it won't be long until exploit kit authors start abusing it in both drive-by via browser and spear-phishing via document campaigns."
See: What is phishing? How to protect yourself from scam emails and more
The other vulnerability Microsoft has confirmed is currently being exploited is a Win32k elevation of privilege vulnerability, which is tracked as CVE-2018-8120 and rated as important.
"To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system," Microsoft notes.
Microsoft also got around to patching a Device Guard bypass it had hoped Google's Project Zero would keep a lid on until after the May Patch Tuesday.
Microsoft patched a total of 67 vulnerabilities in the May Patch Tuesday update, of which 21 are rated as critical.
Previous and related coverage
Internet Explorer zero-day alert: Attackers hitting unpatched bug in Microsoft browser
Microsoft is being urged to rush out a patch for a bug in Internet Explorer that's being used in attacks.
Google's Project Zero exposes unpatched Windows 10 lockdown bypass
Google denies multiple requests by Microsoft for an extension to Project Zero's 90-day disclose-or-fix deadline.
Windows 10 security: Google exposes how malicious sites can exploit Microsoft Edge
Microsoft misses Google's 90-day deadline, so Google has published details of an exploit mitigation bypass.
Windows 10 bug: Google again reveals code for 'important' unpatched flaw
For the second time in a week, Google reveals another unpatched Windows 10 vulnerability.