DOUBLE KILL: WHEN WORD FAILED INTERNET EXPLORER
May 13, 2018
Hackers never rest, and in recent weeks they have come up with a brand new scam. CVE-2018-8174, like CVE-2017-0199 which gained huge traction on April 2017, is another riff on inserting malware into malicious RTF Microsoft Office documents. Though another zero-day attack, this one contains an unusual combination of vulnerabilities that has yet to be seen in Internet Explorer (specifically, a Use-After-Free vulnerability in the Microsoft VBScript DLL used by Internet Explorer). Thus, the moniker that has been given to this attack – Double Kill.
The attack works as follows: an RTF document containing an auto-updating external link to an HTTP location is sent to the victim. The link causes Word to reach that remote resource and seek a response. The method is similar to that executed in the previous RTF attack, CVE-2017-0199. In that attack, Word reached out and got an HTA (“application/hta”) file in response to the remote prompt, which was executed with mshta.exe on the victim’s machine. Microsoft had patched this issue, preventing mshta.exe from executing the remote content, and whatever programs were called. In the new attack, the response is of type HTML (“text/html”), which is executed using the victim’s Internet Explorer (mshtml.dll), a program which is not blocked by Microsoft’s patch of CVE-2017-0199.
Once Internet explorer executes this HTML file, it encounters an inner VBscript which exploits a Use-After-Free vulnerability on it’s way to infect the machine. And when code execution is achieved, PowerShell is used to download and execute the second-stage payload.
The attack is considered a very sophisticated one – perhaps even developed by hackers in the employ of a nation’s state, some believe – and especially galling, as Microsoft believed that it had already patched this vulnerability.
Which just goes to show how difficult it is to defend against specific attacks using anti-malware systems; hackers are always coming up with something new, able to discover new and fresh vulnerabilities even in applications and programs as “ancient” in computer terms as Office and Internet Explorer. And as CVE-2018-8174 was a zero-day attack, no anti-malware system in the world would have protected users.
That’s why Votiro’s approach is better; our customers were safe all along, as Votiro’s Disarmer is capable of extracting malicious/suspicious external links and protecting users from threats like these. Had a Votiro customer encountered one of these documents, it would have been labeled as “blocked due to containing suspicious external links” – thus preventing the attack altogether. Instead of relying on old, ineffective detection techniques, we advise users to try our advanced Disarmer to see what a zero-interference, zero-latency security product looks and feels like.