Skip to main content

Patch your Windows 10 PC, now! Hackers are exploiting a zero-day flaw

Patch your Windows 10 device quick, as hackers are currently taking advantage of a zero-day “Double Kill” flaw in Internet Explorer to infect PCs across the globe. The fix is part of Microsoft’s latest Patch Tuesday update for Windows 10, addressing the vulnerability discovered by the Qihoo 360 Core Security team in late April. The flaw is officially labeled as CVE-2018-8174, ignoring the 360 Core Security team’s “Double Kill” codename. 

According to the team, hackers can embed a malicious website inside an Office document. Once opened, the embedded site deploys malicious code and its payload from a remote web-based server. The attack also bypasses the User Account Control component in Windows 10, acquiring administrator-level privileges. The attack is executed within the system memory as well, thus you’ll find no evidence of foul play on the device’s local storage. 

Microsoft says the problem resides in the VBScript engine. That’s short for Visual Basic Scripting, Microsoft’s programming language included in Internet Explorer for creating system management tools. The vulnerability resides in the way this engine handles objects in memory, allowing hackers to inject code into memory and gain the same user rights as the current user. 

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine,” Microsoft says. 

But that’s not all. Hackers could also take advantage of websites that “accept or host user-provided content or advertisements” by injecting specifically crafted content. The good news here is that the only attack vector discovered thus far is by injecting an Office document with a malicious website. Despite that limitation, a successful attack provides hackers with complete control of the victim’s PC without their knowledge. 

While many Windows 10 device owners may scratch their heads wondering why this Internet Explorer flaw is relevant, the browser still remains as a Windows component for legacy support. Many websites, applications, and corporations still rely on elements that are only compatible with Internet Explorer and have not moved on to the newer technology offered in Microsoft Edge.  

The 360 Security Center team said this is the first advanced persistent threat (APT) campaign to use an Office document carrying this specific Internet Explorer exploit payload. Using Office documents, however, is nothing new. 

“In recent years, we have discovered a rising trend that Office documents have taken the center stage of APT attacks,” the security team said. “Opening any malicious documents with “double kill” allows attackers to control victims’ computers without their knowledge, making ransomware infection, eavesdropping, and data leakage convenient and stealthy.” 

As always, never open a document from an unknown source. Also keep your Windows 10 PC up to date on a security level given Microsoft’s operating system is a highly popular target. Keep your firewall locked and loaded and your anti-virus solution updated as well. You can remove Internet Explorer by following these instructions. 

Editors' Recommendations

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Here’s why your PC can’t install the Windows 10 May 2020 Update yet
A Microsoft Surface Book opened and being used.

After nearly a year of beta testing, the latest version of Windows 10 is finally here, but not every computer is ready for it just yet.

There are still some ongoing issues with the Windows 10 May 2020 Update that could result in your PC not finding it in Windows Update, or not installing it at all. Following problems with previous Windows 10 releases, this is all by design, as Microsoft is taking a "measured approach" with its rollout.

Read more
How to connect the Galaxy Note 10 or Note 10 Plus to your Windows PC or laptop
Samsung Galaxy Note 10 Plus Link to Windows Screen

Are you a Samsung Galaxy Note 10 or Note 10 Plus owner? If you have a Windows PC or laptop, there are a few special integrations baked into the phone that allow you to see notifications and respond to texts without having to pick it up.

Here's how to connect your Note 10 to a Windows device.
Download the Your Phone app on Windows
You do not need to download or install a new app on your Galaxy Note 10 or Note 10 Plus, but you will need to install an app on your Windows laptop or PC. First, go to the Microsoft Store app (you can search for it in the taskbar by tapping on the Cortana icon). In the store, search for Your Phone and tap on Get when you find the app from Microsoft. You may need to sign in with your Microsoft ID.

Read more
Windows 10 has two critical vulnerabilities; update now to avoid infection
windows 10 april 2019 update white theme

If you're running any version of Windows 10, you should update your computer as soon as possible. Microsoft recently alerted users that it patched two critical remote code execution (RCE) "wormable" vulnerabilities, which could have allowed hackers to spread malware to both your -- and others -- PCs without your knowledge or any interaction.

Currently, these two new RCE vulnerabilities -- code-named CVE-2019-1181 and CVE-2019-1182 -- only impact Windows 10. The older versions of Microsoft's operating systems are not impacted.

Read more