New Windows VBScript Vulnerability: A Case Study
By BUFFERZONE Team, 10/06/2018
This recently-exploited Windows vulnerability, first discovered in April 2018 and officially recognized by Microsoft in May, provides a fascinating glimpse into methods used by malicious attackers, and has some wider ramifications for security strategies.
Case History: From Discovery to Remediation
Ramifications: Learning the Lessons
You don’t have to worry about this particular vulnerability: To avoid it, all you need to do is to install the Microsoft security patch, which is included in their automatic updates. What you do need to worry about is what the existence of this vulnerability, and of others like it, means for the future.
As this case exemplifies, software is constantly changing and developing, and the people responsible for that development make mistakes. This time it was a mistake in a VBScript method deprecation; next time it will be in some other component. And another lesson learned is that vulnerabilities aren’t generally discovered by the security establishment until the criminals have already exploited them – by which time it’s too late for someone; and even then, it can take some time until a fix is developed and your systems are updated.
Detection-based security systems are only as good as the security establishment’s knowledge of existing attack signatures and behaviors. Even behavior-detection security products are far from a guarantee against tomorrow’s software vulnerabilities, which may already exist in your systems, waiting to be exploited.
A New Defense Paradigm: Isolation
To protect against the unknown, the only effective solution is to proactively make sure that exploits can’t reach your valuable and trusted systems. BUFFERZONE provides exactly such a solution: proactive endpoint isolation by containment. Regardless of specific attack vectors, exploited vulnerabilities, and payloads, BUFFERZONE always does the same thing: browsing sessions, email attachments, and other applications that access external, untrusted content such as unknown internet sites are kept in a virtual container, along with processes started by those sessions and anything they save or download. Contained processes cannot reach native endpoint or organizational resources such as an intranet; those are accessed only by uncontained browsing sessions and applications, which can’t have accessed untrusted sites. For when needed, BUFFERZONE includes CDR (Content Disarm & Reconstruction) for disarming and extracting data from the container.
Had CVE-2018-8174 been exploited on an endpoint protected by BUFFERZONE, the attack could have taken over memory and resources – but only inside the container, doing no lasting harm. It could not have affected the native endpoint, and could not have read any information from file
areas designated as hidden from the container. And within a day or so it would have been wiped clean along with the rest of the container, according to organizationally-configured schedule.
Don’t wait for the next new attack. Protect your organization now.
Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack, Qihoo 360 Core Security, 9/5/18
Root cause analysis of the latest Internet Explorer zero day – CVE-2018-8174, Kaspersky Lab, 9/5/18
CVE-2018-8174 | Windows VBScript Engine Remote Code Execution Vulnerability, Microsoft Security TechCenter, 8/5/18