Microsoft Wednesday issued an emergency out-of-band patch for an Internet Explorer zero-day vulnerability that was actively exploited by threat actors.
The zero-day bug is a remote code execution vulnerability that affects how Microsoft’s scripting engine handles objects in memory for Internet Explorer 11, as well as some older versions of the browser. According to Microsoft’s advisory, threat actors could exploit the vulnerability (CVE-2018-8653) to corrupt a system’s memory and execute arbitrary code.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email,” the advisory states.
Microsoft said separately that the Internet Explorer zero day was “being used in targeted attacks,” though the software giant didn’t provide additional details. Satnam Narang, senior research engineer at Tenable Inc., also said in a statement that the vulnerability was being exploited in the wild.
The flaw was reported to Microsoft by Clement Lecigne of Google’s Threat Analysis Group. The out-of-band patch for the Internet Explorer zero-day bug addresses how the scripting engine handles objects in memory for the browser.
The out-of-band patch came a week after Microsoft’s Patch Tuesday for December addressed a different zero-day vulnerability that was also under attack and similarly involved improper handling of objects in memory. The privilege escalation vulnerability (CVE-2018-8611) in the Windows kernel can allow attackers to run arbitrary code in kernel mode.
In other news
- An Amnesty International report detailed how threat groups have targeted human rights activists and journalists across the Middle East and Africa with a phishing campaign that uses an automated bypass of two-factor authentication (2FA) for both Gmail and Yahoo email. According to the report, the campaign uses phishing domains that look like Google and Yahoo login pages that ask not only for user passwords but also triggers a legitimate security alert from Google, which sends a six-digit 2FA code to victims’ mobile devices via SMS. Victims then enter the legitimate 2FA code in the phishing pages, which the attackers intercept to take control of the email accounts. “In a completely automated fashion, the attackers managed to use our password to login (sic) into our account, obtain from us the two-factor authentication code sent to our phone, and eventually prompt us to change the password to our account,” the report stated. Amnesty International argued that while 2FA is an important security measure, users should be aware of its limitations and the risks posed by threat actors such as the one detailed in the report.
- The Department of Justice (DOJ) announced Thursday that it seized 15 web domains and charged three suspects in connection with distributed denial-of-service (DDoS) attacks. Matthew Gatrel, 30, of St. Charles, Illinois; Juan Martinez, 25, of Pasadena, California; and David Bukoski, 23, of Hanover Township, Pennsylvania, are accused of running DDoS-for-hire services, also known as booter or stresser services. According to the criminal complaints, Gatrel and Martinez allegedly operated Downthem and Ampnode stresser services, while Bukoski is accused of running Quantum Stresser, which the DOJ calls “one of the longest-running DDoS services in operation.” Quantum was used to launch or attempt more than 50,000 DDoS attacks this year alone. Infosec journalist Brian Krebs noted the “unprecedented” takedown of these stresser services was unique because the FBI tested each service it dismantled to determine the scale of the DDoS attacks they deliver and learn more about how they operate.
- Media conglomerate Oath announced this week that it has paid $5 million in bug bounties this year, which is almost five times what it paid out for bounties in 2017. The company, which includes subsidiaries Yahoo, AOL, Verizon Digital Media Services and TechCrunch, runs a private bug bounty program through HackerOne. According to Oath, the program received 1,900 valid vulnerabilities this year, 300 of which were high or critical severity. By comparison, Facebook recently announced that it paid more than $1.1 million in bug bounties this year for 700 reported vulnerabilities.