Microsoft's legacy browser Internet Explorer (IE) has been used for almost three decades, but not without issues. IE has been so plagued with security problems that Microsoft built a new, more secure browser called Edge. But there are still some issues. Edge’s forward-leaning technology doesn’t support some of IE’s legacy capabilities. For that reason, IE still comes installed on all Windows operating systems. So, once again, IE has been exploited by attackers, as discovered and observed in the wild by the Chinese security firm Qihoo 360. They’re calling this new zero-day vulnerability Double Kill. The firm believes this is an advanced persistent threat (APT) aimed at achieving ongoing access to targeted systems.
Impact assessment
Technical details and a POC have not been released at this time. However, Qihoo 360 has stated that Double Kill involves an IE vulnerability which uses Microsoft Word documents (usually sent as an email attachment) as the attack vector. Qihoo 360 also states that the document contains some unspecified sort of shellcode. Internet Explorer is somehow opened in the background processes, which leads to an executable program being downloaded and executed – without any visible warning to the user. Opening malicious documents with Double Kill allows attackers to control victims’ computers without their knowledge, making ransomware infection, eavesdropping and data leakage convenient and stealthy.
Vulnerability details
These types of attacks typically begin with spear phishing attempts, a type of email-spoofing attack that targets specific organizations or individuals. If successful, an individual may unknowingly activate malware embedded within attached Word documents, believing they are from a trusted source. In many attack scenarios, attackers get in and get out quickly to avoid detection. With an APT, the goal of the attacker is to achieve ongoing access.
Exploitation
The Word document in question doesn't automatically download to the computer, and requires interaction on behalf of the user. Users must be on IE, and they must open the infected file, which would then launch a malicious webpage. The malware then uses a user account control bypass and file steganography, or what is called the embedding of a file, message or image within another file, message or image.
Urgently required actions
Stop using IE. Microsoft has not released a statement or any patches at this time. If, for some reason, you need to continue using IE, follow IT security best practices.
Tenable® has developed several Nessus® and NNM plugins for IE, which can help you discover, identify and assess potential vulnerabilities in the legacy browser.
Get more information:
- Qihoo 360 blog post
- Learn more about Tenable.io®, the first Cyber Exposure platform for holistic management of your modern attack surface
- Get a free 60-day trial of Tenable.io Vulnerability Management