New CVE-2018-8373 Exploit Spotted in the Wild
(Sep 25, 2018)
A new exploit has been observed in the wild using a use-after-free vulnerability, registered as “CVE-2018-8373.” This vulnerability affects the VBScript engine in newer Windows versions (7 and 10), and the new exploit obtains execution permissions from “Shell.Application” by modifying its SafeMode flag. SafeMode is intended to decide whether a script is safe to run or not, therefore, by altering VBScript’s SafeMode so it is not running, the shellcode in the script can run directly with no intentional authorisation. The exploit does not work on machines that are supported by Microsoft or have patched versions of Internet Explorer. Microsoft has since issued a patch for this vulnerability.
Recommendation: Microsoft released a patch for this vulnerability so it is recommended to apply it immediately if you have not done so yet. This vulnerability is present on older versions of Internet Explorer (IE 10 and under) likely because they are no longer supported, thus no patches have been or will be released for those older versions.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.