While difficult to do in the industrial control environment, but if a Microsoft patch is available, it might be wise to either patch the hole or find a strong mitigation.
That is because attackers are going after a patched vulnerability in Microsoft’s VBScript engine, researchers said.
CVE-2018-8373 is a memory corruption issue that would result in remote code execution in the context of the current user. The flaw is the result of the way the VBScript scripting engine handles objects in memory in Internet Explorer.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said in a post.
Impacting the VBScript engine in the latest versions of Windows, the vulnerability does not affect Internet Explorer 11, as “VBScript in Windows 10 Redstone 3 (RS3) has been effectively disabled by default,” said Elliot Cao of Trend Micro Security Research with Trend Micro’s Zero Day Initiative (ZDI), who discovered the issue, in a post.
“We found this exploit using heuristics, which led to a more in-depth analysis. Interestingly, we found that this exploit sample uses the same obfuscation technique as exploits for CVE-2018-8174, a VBScript engine remote code execution vulnerability patched back in May,” Cao said.
“The creator used a new use-after-free (UAF) vulnerability in vbscript.dll, which remained unpatched in the latest VBScript engine,” Cao said.
“As a first line of defense, we recommend applying the latest security patches once they’re available to prevent exploits,” Cao said. “Users can also employ solutions that defend against possible exploits. A proactive, multilayered approach to security is key against threats that exploit vulnerabilities — from the gateway, endpoints, networks, and servers.”