Skip to main content

Patch your Windows 10 PC, now! Hackers are exploiting a zero-day flaw

Patch your Windows 10 device quick, as hackers are currently taking advantage of a zero-day “Double Kill” flaw in Internet Explorer to infect PCs across the globe. The fix is part of Microsoft’s latest Patch Tuesday update for Windows 10, addressing the vulnerability discovered by the Qihoo 360 Core Security team in late April. The flaw is officially labeled as CVE-2018-8174, ignoring the 360 Core Security team’s “Double Kill” codename. 

According to the team, hackers can embed a malicious website inside an Office document. Once opened, the embedded site deploys malicious code and its payload from a remote web-based server. The attack also bypasses the User Account Control component in Windows 10, acquiring administrator-level privileges. The attack is executed within the system memory as well, thus you’ll find no evidence of foul play on the device’s local storage. 

Recommended Videos

Microsoft says the problem resides in the VBScript engine. That’s short for Visual Basic Scripting, Microsoft’s programming language included in Internet Explorer for creating system management tools. The vulnerability resides in the way this engine handles objects in memory, allowing hackers to inject code into memory and gain the same user rights as the current user. 

Please enable Javascript to view this content

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine,” Microsoft says. 

But that’s not all. Hackers could also take advantage of websites that “accept or host user-provided content or advertisements” by injecting specifically crafted content. The good news here is that the only attack vector discovered thus far is by injecting an Office document with a malicious website. Despite that limitation, a successful attack provides hackers with complete control of the victim’s PC without their knowledge. 

While many Windows 10 device owners may scratch their heads wondering why this Internet Explorer flaw is relevant, the browser still remains as a Windows component for legacy support. Many websites, applications, and corporations still rely on elements that are only compatible with Internet Explorer and have not moved on to the newer technology offered in Microsoft Edge.  

The 360 Security Center team said this is the first advanced persistent threat (APT) campaign to use an Office document carrying this specific Internet Explorer exploit payload. Using Office documents, however, is nothing new. 

“In recent years, we have discovered a rising trend that Office documents have taken the center stage of APT attacks,” the security team said. “Opening any malicious documents with “double kill” allows attackers to control victims’ computers without their knowledge, making ransomware infection, eavesdropping, and data leakage convenient and stealthy.” 

As always, never open a document from an unknown source. Also keep your Windows 10 PC up to date on a security level given Microsoft’s operating system is a highly popular target. Keep your firewall locked and loaded and your anti-virus solution updated as well. You can remove Internet Explorer by following these instructions. 

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
ChatGPT’s new Pro subscription will cost you $200 per month
glasses and chatgpt

Sam Altman and team kicked off the company's "12 Days of OpenAI" event Thursday with a live stream to debut the fully functional version of its 01 reasoning model, as well as a new subscription tier called ChatGPT Pro. But to gain unlimited access to these new features and capabilities, you're going to need to shell out an exorbitant $200 per month.

The 01 model, originally codenamed Project Strawberry, was first released in September as a preview, alongside a lighter-weight o1-mini model, to ChatGPT-Plus subscribers. o1, as a reasoning model, differs from standard LLMs in that it is capable of fact-checking itself before returning its generated response to the user. This helps such models reduce their propensity to hallucinate answers but comes at the cost of a longer inference period and slower response.

Read more
Surface Pro alternative: This Asus Chromebook is another $70 off today
A man holding the Asus Chromebook CM3001 Laptop.

While fast and powerful CPUs and GPUs go a long way with a desktop or laptop, not every PC needs to be a workhorse. Some folks only need a computer for basic web browsing or watching the occasional HD movie or show. That’s why we’re always on the lookout for great Chromebook deals. These Chrome OS machines are just strong enough to deliver a notch above the basics, and today, we found an excellent discount on an Asus Chromebook. For a limited time, when you purchase the Asus Chromebook CM3001 Laptop at Best Buy, you’ll only pay $230. At full price, this model sells for $300.

Why you should buy the Asus CM3001 Laptop
From its convenient 2-in-1 design (check out our list of the best 2-in-1 deals) to its beautiful 10.5-inch 1920 x 1200 touchscreen (WUXGA), the CM30 is a laptop you’ll have zero issues taking just about anywhere. Its light form factor is a huge plus, and when closed, the CM30 is only 0.67 inches thick! And while we’re not dealing with Intel or AMD for internals, the onboard MediaTek Kompanio 520 CPU runs and smooth and efficient ship. It's also a great Surface Pro alternative, for those tiring of the Windows way.

Read more
Get Copilot+ features for less with this Asus laptop deal
An Asus ProArt P16 laptop on a white background.

One of the best laptop deals right now is perfect for anyone who is seeking a Copilot PC. If you’re looking to enjoy AI features, check out the Asus ProArt P16 laptop which is $200 off at Best Buy. The laptop normally costs $1,900 but right now, you can buy it for $1,700. A high-end productivity-focused laptop which also packs a punch for some gaming too, this is an ideal workhorse of a PC. Here’s all you need to know about it alongside some insight into the wonders of Copilot.

Why you should buy the Asus ProArt P16 laptop
Asus features in our look at the best laptop brands thanks to the company being great at developing all-rounder laptops. The Asus ProArt P16 laptop is one such highlight. It has an AMD Ryzen AI 9 HX 370 CPU, 32GB of memory, 1TB of SSD storage, and an Nvidia GeForce RTX 4060 GPU.

Read more