Microsoft patches zero-day exploit against Internet Explorer
Researchers at Trend Micro recently discovered a high-risk zero-day exploit against the latest versions of Windows and Internet Explorer in malicious web traffic, the security firm announced on Wednesday. Microsoft issued patches this week.
The vulnerability, dubbed CVE-2018-8373, is “a remote code execution vulnerability [that] exists in the way that the scripting engine handles objects in memory in Internet Explorer,” according to Microsoft.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” Microsoft said.
The vulnerability is exploited by visiting a malicious web page or opening a malicious Microsoft Word document rendered with Internet Explorer.
Internet Explorer is the second-most-popular web browser after Google Chrome. It’s also especially popular in enterprise environments, which means exploits can potentially be used to attack businesses and other large organizations.
Trend Micro security researcher Elliot Cao is credited with discovery.
When the exploit is executed against users on an administrator account, hackers can run malicious code with the highest permissions.
The new exploit uses the same obfuscation technique as CVE-2018-8174, a similar zero-day vulnerability discovered in April 2018. Researchers suspect the same actor created both exploits.