The vulnerability was spotted in the wild by Trend Micro researcher on July 11, 2018. The exploit sample detected by the researchers was using the same obfuscation technique as exploits for CVE-2018-8174, spotted in the wild by Qihoo 360 in April 2018.
Vulnerable component: Microsoft Internet Explorer
CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-416 - Use After Free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a use-after-free error in VBScript when the scripting engine handles objects in memory in Internet Explorer. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: The vulnerability has been exploited in the wild.
Latest references in media:
- ShadowTalk Update тАУ 08.27.2018 [2018-08-27 17:11:37]
- Security Affairs newsletter Round 177 тАУ News of the week [2018-08-26 14:40:09]
- North Korean Hackers Exploit Recently Patched Zero-Day [2018-08-20 21:00:10]
- Vulnerability in MicrosoftтАЩs VBScript Engine Taken Advantage by Darkhotel [2018-08-20 12:31:05]
- Windows VBScript Engine Zero-day Flaw used by Darkhotel Hackers [2018-08-20 04:00:46]
- North Korea-linked Dark Hotel APT leverages CVE-2018-8373 exploit [2018-08-19 18:00:08]
- Zero-Day In Microsoft's VBScript Engine Used By Darkhotel APT [2018-08-18 17:10:17]
- Zero-Day In Microsoft’s VBScript Engine Used By Darkhotel APT [2018-08-18 16:30:17]
- Weekly podcast: Intel Foreshadow attack, Cosmos cash-out scheme, TLS 1.3 and Patch Tuesday [2018-08-17 11:01:23]
- Microsoft Patch Tuesday Addresses 60 Vulnerabilities Including 2 Zero-Day Vulnerabilities [2018-08-16 10:00:53]
- August 2018 – Microsoft Patch Tuesday [2018-08-15 20:30:11]
- Microsoft patches zero-day exploit against Internet Explorer [2018-08-15 19:50:58]
- Patch Tuesday fallout: Bad docs, but so far no major problems [2018-08-15 18:10:12]
- Patch Tuesday, August 2018 Edition [2018-08-15 17:11:15]
- Patch Tuesday, August 2018 Edition [2018-08-15 17:10:17]
- Microsoft Fixes 60 Flaws Including Two Zero-Days [2018-08-15 12:10:05]
- August 2018 Patch Tuesday: Microsoft fixes two actively exploited zero-days [2018-08-15 11:01:19]
- August 2018 Patch Tuesday: Microsoft fixes two actively exploited zero-days [2018-08-15 10:50:09]
- August 2018 Microsoft Patch Tuesday fixes two flaws exploited in attacks in the wild [2018-08-15 10:50:08]
- Microsoft Patches Zero-Day Flaws in Windows, Internet Explorer [2018-08-15 07:50:10]
- August Patch Tuesday: A Tale of Two Zero-Days [2018-08-15 07:40:15]
- Patch Tuesday, August 2018 [2018-08-15 03:40:53]
- Patch Tuesday, August 2018 [2018-08-15 02:12:12]
- Patch Tuesday heats up with pair of zero-days, plus 58 other fixes [2018-08-15 01:10:01]
- Microsoft August 2018 Patch Tuesday Fixes 60 Security Flaws, Including Two Zero-Days [2018-08-14 22:10:24]
Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.