Microsoft on Tuesday patched two Windows vulnerabilities that attackers are actively exploiting in the wild to install malicious apps on the computers of unwitting users.
The first vulnerability resides in the VBScript Engine included in all currently supported versions of Windows. A so-called use-after-free flaw involving the way the engine handles computer memory allows attackers to execute code of their choice that runs with the same system privileges chosen by the logged-in user. When targeted users are logged in with administrative rights, attackers who exploit the bug can take complete control of the system. In the event users are logged in with more limited rights, attackers may still be able to escalate privileges by exploiting a separate vulnerability.
CVE-2018-8174, as the flaw is formally indexed, is being actively exploited by attackers, Microsoft officials said. The vulnerability was discovered by antivirus provider Kaspersky Lab, which then reported it to Microsoft. In the exploits observed by Kaspersky Lab:
- Targets receive a malicious RTF Microsoft Office document
- After being opened, the malicious document causes the second stage of the exploit to be downloaded in the form of an HTML page with malicious code
- The malicious code triggers the use-after-free memory-corruption bug
- Accompanying shellcode then downloads and executes a malicious payload
Kaspersky Lab security researcher Anton Ivanov wrote the following in an email:
This technique, until fixed, allowed criminals to force Internet Explorer to load, no matter which browser one normally used–further increasing an already huge attack surface… We urge organizations and private users to install recent patches immediately, as it won't be long before exploits to this vulnerability make it to popular exploit kits and will be used not only by sophisticated threat actors but also by standard cybercriminals.
In an advisory published Tuesday, Microsoft officials said attackers could also exploit the vulnerability by hosting an exploit on a website or in website ads and tricking a target to view the malicious content with the IE browser. Neither Microsoft nor Kaspersky Lab provided details about who is exploiting the vulnerability, who is being exploited, or how widespread the exploits are. Microsoft rated CVE-2018-8174 "critical," the company's highest severity rating.
The second vulnerability is a privilege-escalation flaw in the Win32k component of Windows. "An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," Microsoft officials wrote in a separate advisory. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights." The flaw is rated "important," one level below "critical." Microsoft didn't provide details about the in-the-wild exploits.
In all, Microsoft issued 68 security bulletins on Tuesday as part of its monthly patch release. Twenty-one of the patches were rated critical, 45 were rated important, and two were rated as low severity. Other noteworthy bulletins patched remote code-execution vulnerabilities in Microsoft's Hyper-V and Hyper-V SMB and an Azure IoT SDK spoofing vulnerability. The Sans Institute lists all the of fixes here.