Software developers face a daunting challenge every day with the products they maintain. Not only does their software need to work well and accomplish what it advertises, it also needs to improve constantly and be secure against hacks. If a product or application is still supported, it’s the responsibility of the software maker to protect the users of its products.
And this is not easy, of course. It’s a game of cat and mouse as hackers continuously poke holes on popular software and developers patch them as they come. This is why software companies typically need the help of software bug bounty hunters since it’s impossible to catch all the potential flaws and bugs in its products.
The worst of these bugs are what are known as “zero-day” bugs. These are previously unknown bugs that hackers are already actively exploiting.
Read on and I’ll tell you about the latest one that’s plaguing this surprisingly still popular web browser.
Zero-day in Internet Explorer
Software security firm Qihoo 360 has revealed a new malware campaign that is actively exploiting a previously unknown zero-day flaw in Microsoft’s Internet Explorer.
Zero-day exploits are some of the biggest threats developers face. The term “zero-day flaw” is just a fancy way of describing exploits that are discovered and abused by hackers before the software company has time to issue a patch.
This time, hackers are distributing malicious Microsoft Office documents to install malware and backdoors on infected Windows machines. These poisoned documents are reportedly targeting a previously unknown “double kill” vulnerability in Internet Explorer and any other application that use the browser.
How does it work?
Once an unsuspecting victim clicks and opens the booby-trapped Office document that has an embedded malicious webpage, a nasty code will run on the target machine. This code will then download and install the attacking program from a remote server.
Although the actual flaw it uses to initiate the exploit is still not publicly known, the attack reportedly also uses a known User Account Control (UAC) bypass bug in its later stages.
It also hides its malicious activity via “file steganography.” Steganography is a technique where malicious files or messages are concealed inside another seemingly harmless file or program to evade detection.
The zero-day exploit affects all versions of Internet Explorer and applications that use it. You don’t even have to be actively using Internet Explorer to get infected. As soon as you open the malicious Office document, the malware automatically does what it is set to do.
Who can be behind the campaign?
Qihoo 360 said that an Advanced Persistent Threat (APT) group is quite possibly behind the attacks. APT groups are highly organized hacking units whose main goal is to steal data, sabotage infrastructure and disrupt businesses covertly with targeted attacks.
APT groups are typically state-sponsored groups but it’s still not clear if these current attacks are politically motivated or related to cyber espionage.
In the meantime…
Qihoo 360 researchers said that they already reported the flaw to Microsoft on April 19 and based on the standard 90-day “responsible disclosure” timeframe, they are giving the company enough time to issue a patch before they publicly reveal more details about the exploit.
As we await Microsoft’s patch, please be extra careful about opening any Office documents sent from unknown sources either via email or file sharing. Although you may not be using Microsoft’s infamous Internet Explorer browser anymore, you’re still at risk from this attack.
How to update
Microsoft typically issues its security fixes on the second or third Tuesday of each month (unofficially known as Patch Tuesday) but we’re hoping it will issue a patch for this flaw sooner via emergency update.
At any rate, here’s how to apply the latest Windows patches.
How to update Windows
Most Windows machines are set to download and install updates automatically by default. If you haven’t changed your automatic update settings then you should be fine.
If you want to check, here’s how:
On Windows 10, click Start (Windows logo), choose “Settings,” select “Update & Security,” then on the “Windows Update” section, select “Check for Updates.” (Note: the “Windows Update” section is also handy for showing you updates that are currently being downloaded or applied.)
If you have an older Vista or Windows 7 system, check out our tips on how to set up and check Windows Updates.
In other Windows news, Microsoft delays major Windows 10 update because of Blue Screen of Death
If you’re eagerly awaiting Microsoft’s next major Windows 10 feature update, you’ll have to wait much longer. This delay can actually be a good thing. If you can recall, all the Windows patches released this year so far were so buggy and inconsistent, they were even causing some Windows PCs to be rendered unbootable. Click here to read the full story.