In the second half of December 2018, a new IE Zero Day named “CVE-2018-8653” was discovered. According to Microsoft, the vulnerability errors when the “scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.” This means that an attacker successfully attacking a machine vulnerable to this flaw, would obtain the same rights as the exploited user. If the victim is an administrator, then an attacker could take full control of the affected system and perform further exploitation activity by modifying data; installing new software; or creating additional user accounts for future access.
But how could this vulnerability be exploited? The easiest way would be for an attacker to host a specially crafted website that takes advantage of the flaw when browsed to through Internet Explorer. In this scenario, there are a number of techniques an attacker can use in order to trick their victims into accessing a malicious website, the most common one being phishing emails with links to such site. According to Cylance researchers, the CVE-2018-8653 “utilizes a use-after-free (UAF) to gain arbitrary code execution within the context of jscript.dll by masquerading as a fake RegExpObj.” Use After Free represents an attempt to access heap memory that was previously allocated and then freed, mostly resulting in program crashing and the execution of arbitrary code. This type of attack bypasses traditional exploit techniques and instead creates a new call stack to the real stack. Then changes to memory permissions of the heap occur where shell-code is stored and then executed, therefore giving an attacker full control of the system.
In an effort to mitigate malicious attacks, Microsoft released an out-of-band patch ahead of the January 2019 update. The vulnerability affected versions of Internet Explorer 9 on Windows Server 2008; IE 10 on Windows Server 2012, and IE 11 for Windows 7-10 as well as Windows Server 2012, 2016 and 2019. At this time, Microsoft has not presented any details about attacks that have possibly already taken place or the potential associated damage/losses that have occurred. The update to patch this vulnerability was released on December 19th.
Proficio Threat Intelligence Recommendations:
- Maintain all software up to date with the latest patches.
- Refrain from operating with administrative privileges while performing standard work activities.
- Conduct training on social engineering techniques in order to mitigate the risk of phishing attacks among employees.
Microsoft Report – Click Here
Cylance Report – Click Here