Microsoft has released a patch to address a vulnerability in the Windows VBScript Engine. Double Kill, also known as CVE-2018-8174 1, has been actively exploited in the wild by a limited number of threat actors. If successfully exploited, Double Kill will give the threat actor the same permissions as the compromised user. Proof of concept (PoC) code has been released for this vulnerability, increasing the likelihood of additional threat actors exploiting the vulnerability2

What we’re doing about it

  • esNETWORK rules have been deployed to detect active exploitation attempts
  • The eSentire Threat Intelligence team is actively monitoring the situation for changes.

What you should do about it

  • After a business impact review, apply Microsoft patches from the most recent ‘patch Tuesday’ (May 8, 2018)
  • Implement the concept of Least-Privilege to limit potential damage
  • Ensure employees are aware of ongoing email and web-based threats

Additional information

DoubleKill affects a wide variety of Windows products that use the VBScript Engine; for a full list, see the Affect Products section of the official Windows release.

This vulnerability is caused by a failure in the way the VBScripts engine handles objects in memory. From initial assessment,s it appears that delivery of this exploit may occur through both phishing attempts and web-based attacks.

 


References:

[1] CVE-2018-8174 | Windows VBScript Engine Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174

[2] The King is dead. Long live the King!
Root cause analysis of the latest Internet Explorer zero-day – CVE-2018-8174
https://securelist.com/root-cause-analysis-of-cve-2018-8174/85486/

See the latest security advisories

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory, and Managed Prevention capabilities.