Qihoo 360, a Chinese internet security company, discovered a zero-day vulnerability (CVE – 2018 – 8174) with the current version of Internet Explorer after foreign trade organizations in China were affected by the exploit. The “double kill” vulnerability was reported to Microsoft and they released the following statement:
“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.
The brief response aligns with Microsoft being more interested in moving users to Edge, as a more modern competitor with Chrome and Firefox, than continuing to heavily support Internet Explorer. While Internet Explorer remains largely unused for web browsing, it is a built-in feature of Windows 10.
If you have yet to migrate to Windows 10, this vulnerability also affects:
- Windows 7
- Windows Server 2012 R2
- Windows RT 8.1
- Windows Server 2008
- Windows Server 2012
- Windows 8.1
- Windows Server 2016
- Windows Server 2008 R2
- Windows 10 Servers
Depending on your organization’s default policies, this could result in personnel opening links and sites in Internet Explorer rather than a more secure browser. Additionally, the exploit uses Office-based lure documents that will open Internet Explorer on their own. These documents bypass the user needing to initiate anything in Internet Explorer.
On May 8th, Microsoft released a patch that fixed the vulnerability. For those systems that are not receiving regular patches, there is still an opportunity for threats to exploit unpatched systems. If your organization has endpoints that have Internet Explorer installed, we recommend ensuring all systems are properly patched to minimize your risk. Though there doesn’t seem to currently be widespread attacks using this vector, it is only a matter of time before more threats begin using the opportunity on a larger scale.
If you would like to further discuss how this could affect your organization, or discuss how to build, strengthen, or ensure compliance with your Information Security program, schedule a meeting with us today.