Internet Explorer 0-Day Discovered
Microsoft has released a patch for this vulnerability, and we strongly advise to apply it, as it is just a matter of time before other threat actors start leveraging this new opportunity in spam or exploit kit campaigns. In late April, two security companies (Qihoo360 and Kaspersky) independently discovered a zero-day for Internet Explorer (CVE-2018-8174), which was used in targeted attacks for espionage purposes. This marks two years since a zero-day has been found (CVE-2016-0189 being the latest one) in the browser that won’t die, despite efforts from Microsoft to move on to the more modern Edge.
The vulnerability exists in the VBScript engine and how it handles memory objects. It will also affect IE11, even though VBScript is no longer supportedby using the compatibility tag for IE10. The attack came via a Word document making use ofOLE autolink objects to retrieve the exploit and shellcode from a remote server.
However, it is important to note that it could very well have been executed by visiting a website instead.