Patch Lady – what’s the real risk?

So the zero day IE is finally out as an out of band patch.  On the Windows Defender security portal (1) they talk about the risk of this zero day….

For attacks to be successful, targets will need to use Internet Explorer or another application that utilizes the Internet Explorer scripting engine to open a link containing the exploit. Initial reports of attacks indicate the use of Microsoft Word documents (.docx) with lure content that entice recipients to click on malicious links. If the links are launched by Internet Explorer—the default web browser on machines running older platforms like Windows 7—exploitation can occur.

This analysis is based on limited, initial reports about actual attacks that exploit this vulnerability.

Customers have encountered Microsoft Word documents (.docx) containing a link to web pages with exploit code for CVE-2019-1367. Although other distribution mechanisms are possible, we have observed attacks distributing the documents as attachments on spear-phishing emails.

The documents themselves have been socially engineered with lure content—mostly around Middle Eastern and North African affairs—that entices recipients into clicking an embedded video element that is a link to external content. On many machines that run older platforms such as Windows 7, the link opens on Internet Explorer by default. Once the malicious link opens on a vulnerable instance of Internet Explorer, exploitation can occur, allowing attackers to run arbitrary code in the context of the current user.

In known attacks, the exploit runs malicious code that does the following:

• Uses an elevation of privilege (EoP) technique abusing the Web Proxy Auto Discovery (WDAP) protocol
• Downloads and runs a malicious executable cqe.exe (detected as Trojan:Win32/Hevor.A!dha)

The executable, which now serves as an initial implant, then proceeds to download other payloads from another location.

Mitigations

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

• Prioritize installation of the security update for CVE-2019-1367. The update is automatically deployed as a required update through Microsoft Update and the WSUS catalog. Customers with automatic updates turned on don’t need to take additional action.
• On machines that could not install the security updates, consider restricting access to JScript.dll to prevent exploitation. See the workaround in the CVE-2019-1367 advisory.
• Use Office 365 ATP for enhanced phishing protection and coverage against new threats and polymorphic variants. Office 365 ATP customers should ensure that Safe Links protection is enabled for users with Zero-hour Auto Purge (ZAP) to remove emails when a URL gets weaponized post-delivery.
• To take advantage of a modern web viewer for Office 365 applications, customers are encouraged to upgrade to Office 365 version 16.0.11629 and Windows 10 version 1903. With these or newer versions, Office 365 applications use Microsoft Edge WebView to load web content instead of Internet Explorer, which is affected by this vulnerability.
• To prevent exploitation of WPAD, upgrade to Windows 10 version 1809 or newer.
• Block external content in Word documents by enabling the Group Policy Object (GPO) Allow Online Videos to play within Word under User Configuration > Administrative Templates > Microsoft Word 2016 > Word Options > General. This GPO is available only upon installation of the Microsoft Word 2016 update described in KB4462193 or a later cumulative update.
• Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
• Turn on attack surface reduction rules, including rules that can block process creation initiated by Office applications and rules that can block scripts (JavaScript and VBScript) from launching downloaded executable content.
• Turn on network protection to block connections to malicious domains and IP addresses.
• Customers are encouraged to use Microsoft Edge or other modern web browsers where possible. For tasks that require Internet Explorer, customers should limit its use to these tasks and set a different application as the default browser.
• Educate end users about preventing malware infections by ignoring or deleting unsolicited and unexpected emails.

So … the risk is from targeted emails, the risk is opening .doc files, the risk is higher on machines 1803 and older (Windows 7).

So I don’t see this as great of a risk to you and me.

(1) you have to be a subscriber to the Microsoft Defender ATP license (E5) in order to get to the original link.