CVE-2018-8174: Windows VBScript Engine Remote Code Execution Vulnerability – An advisory by Quick Heal Security Labs

The recent zero-day vulnerability in Windows VBScript Engine (CVE-2018-8174), enables attackers to perform a remote code execution on targeted machines. Microsoft has released a security advisory CVE-2018-8174 on May 8, 2018, to address this issue. According to Microsoft, it impacts most of the Windows Operating Systems.

Vulnerable versions

• Windows 7 x86 and x64 versions
• Windows Server 2012 R2
• Windows RT 8.1
• Windows Server 2008
• Windows Server 2012
• Windows 8.1
• Windows Server 2016
• Windows Server 2008 R2
• Windows 10
• Windows 10 Servers

About the vulnerability

This is a use-after-free vulnerability in VBScript Engine which allows attackers to perform a remote code execution on targeted machines. After successful exploitation, attackers can take control of the vulnerable systems and download and execute malware on them.

The vulnerability is currently being exploited in the wild through a malicious Office document which is a Microsoft Office/WordPad exploit (CVE-2017-0199). The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Quick Heal detection

Quick Heal’s generic detection ‘Exp.RTF.CVE-2017-0199.AO’ for Microsoft Office/WordPad exploit (CVE-2017-0199), released on December 12, 2017, detects the initial attack vector observed in the wild.

Quick Heal has released the following detection for the vulnerability CVE-2018-8174:

• Exp.IE.CVE-2018-8174
• HTTP/CVE-2018-8174.IE

Quick Heal Security Labs is actively looking for new in-wild exploits for this vulnerability and ensuring coverage for them.

References

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8174
https://blogs.360.cn/blog/cve-2018-8174-en/

Prashant Kadam