A Chinese cybersecurity firm has discovered a "double kill" bug in Internet Explorer that it said is already being used by possible nation-state hacking groups.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A Chinese cybersecurity firm has found a zero-day exploit in Internet Explorer that is already being used to infect machines through malicious Microsoft Office documents.
- Microsoft has yet to issue a response to the discovery, and until it patches the vulnerability IE users should be particularly careful not to open Office attachments from unknown sources.
Chinese cybersecurity company Qihoo 360 has discovered (translation necessary) a new Microsoft Internet Explorer zero-day exploit it says is already being used in the wild.
Qihoo's 360 Security Center said the zero day, which it calls a "double kill" due to targeting Internet Explorer and any other apps that use the IE kernel, is already being used by an advanced persistent threat (APT), which are often government-sponsored.
The zero day requires a potential victim to open a malicious Microsoft Office document that contains a link to a website designed to deliver a malware payload, which is a common way for attackers to infect victims.
Once someone is infected, Qihoo 360 said, attackers can install backdoor Trojans or even gain complete control over the machine.
Qihoo 360's report is scant on details--it doesn't say what the actual zero-day exploit is and doesn't mention the particular software being delivered. It also doesn't reveal which "known APT actor" or nation-state sponsors may be behind the attack, leaving a lot of questions unanswered.
What Qihoo 360 does mention is how the attack actually functions: A malicious Microsoft Office document, when opened, connects to a remote server and silently downloads and installs exploit code and malicious payloads.
SEE: Securing Windows policy (Tech Pro Research)
The later phases of the attack use a public user account control (UAC) bypass technique, file steganography, memory reflection loading, and fileless execution. It's an advanced threat, and Microsoft has yet to issue a formal response.
Qihoo 360 said it's urgently promoting the release of a patch, but until Microsoft acknowledges the exploit through anything more than a canned response it's up to users and security professionals to take steps to avoid infection:
- Never open a Microsoft Office attachment from an unfamiliar source. Better yet, insist that coworkers, customers, and collaborators share documents via a cloud service like Google Cloud or OneDrive.
- Make sure all Windows machines have up-to-date antivirus software installed. Some threats may be missed without it.
- Take Microsoft's advice and stop using Internet Explorer. Microsoft said its new Edge browser is more secure; IT teams should use group policy to force users who don't want to stop using IE away from it and on to a better, safer browser.
- Keep all systems up to date with the latest security patches. Outdated machines are especially vulnerable to attack, as we've seen in the past with outbreaks like WannaCry, which used a Windows vulnerability that had been patched months prior to its spread.
- IT pro's guide to effective patch management (free PDF) (TechRepublic)
- Internet Explorer zero-day alert: Attackers hitting unpatched bug in Microsoft browser (ZDNet)
- Zero-day exploits: A cheat sheet for professionals (TechRepublic)
- North Korean Reaper APT uses zero-day vulnerabilities to spy on governments (ZDNet)
- 7 Windows 10 security features that could help prevent cyberattacks against your business (TechRepublic)