![[Make the best use of everything]Internet Explorer is not dead? Hackers keep hacking with exploits – wepro180](https://www.wepro180.com/wp-content/uploads/2022/12/fb_IE-CVE.jpg "[Make the best use of everything]Internet Explorer is not dead? Hackers keep hacking with exploits – wepro180")
In June of this year, Microsoft announced that it would no longer support Internet Explorer and let Microsoft Edge launch an IE-compatible version. But recently discovered that hackers are still looking for IE loopholes, and use them for intrusion. The method is that an IE vulnerability is hidden in the Office files sent by email. Even if IE is not used as the default browser, these web content will still be rendered in IE.
Google earlier filled a zero-day vulnerability discovered by Microsoft November Patch Tuesday, designated as CVE-2022-41128, a remote execution vulnerability in JScript, one of the Windows JavaScript scripting languages. The vulnerability affects Windows Server from Windows 7 to Windows 11.
Although Microsoft no longer supports Internet Explorer and stops releasing updates, Google has discovered that IE vulnerabilities continue to be exploited in Office documents because the IE engine is still integrated with Office. According to TAG members Clement Lecigne and Benoit Sevens who reported the vulnerability to Microsoft, the IE exploit was developed by threat actor APT37 from North Korea.
TAG explained that attackers issued IE vulnerabilities in Office documents and used IE to render Office HTML content. For this reason, since 2017, the vulnerability has been exploited by hackers through Office, because even if Chrome is set as the default, Office will open with IE by default when it encounters HTML or web content.
Analysts pointed out that this vulnerability is very similar to the vulnerability CVE-2021-34480 discovered by Google Project Zero (GPZ) in IE 11’s JIT compiler last year. GPZ’s analysis of the new IE vulnerability also traces it back to IE’s JIT compiler. At the time, GPZ researcher Ivan Fratric pointed out that while Microsoft had ended support for IE 11, IE was still integrated into other products, including Microsoft Office.
TAG noted that in typical cases, when delivering IE exploits in Office documents, users must disable Office Protected View before getting remote RTF. TAG has yet to find the final payload for this campaign, but they noted that APT37, also known as ScarCruft and Reaper, also used ROKRAT, BLUELIGHT, and DOLPHIN for implants. APT37 implants usually use legitimate cloud services as C2 channels and provide typical backdoor functions.
Source: https://www.zdnet.com/article/hackers-are-still-finding-and-using-flaws-in-internet-explorer/
Related article:[Passive income]Malicious extension tools hidden in Chrome and Edge stores hijack search results to earn advertising fees