Google has filled in the blanks about a curious zero-day flaw that Microsoft addressed in its November Patch Tuesday.
The remote code execution flaw, tracked as CVE-2022-41128, was in one of its Windows JavaScript scripting languages, JScript9 – the JavaScript engine used in IE 11. The bug affected Windows 7 through to Windows 11, as well as Windows Server 2008 through 2022.
Microsoft ended support for IE 11 on June 15, 2022, and has been encouraging customers to use Edge instead with ‘IE mode’. But Google has found this type of IE bug continues to be exploited in Office documents because the IE engine remains integrated with Office.
And who were the actors behind the newly discovered exploit for legacy IE 11?
According to TAG members Clement Lecigne (who reported the flaw to Microsoft) and Benoit Sevens, the IE exploit was developed by North Korean actors APT37.
The attackers distributed the IE exploit in an Office document because, as TAG explains, Office renders HTML content using IE. IE exploits have been delivered via Office since 2017 for this reason because, even if Chrome is set as the default, Office defaults to the IE engine when it encounters HTML or web content.
“Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape,” the threat analysts note.
They also note that this flaw is very similar to the bug, CVE-2021-34480, that Google Project Zero (GPZ) found last year in IE 11’s JIT compiler. GPZ’s analysis of the new IE flaw also traced it to IE’s JIT compiler.
At the time, GPZ researcher Ivan Fratric noted that, although Microsoft had ended support for IE 11, IE (or the IE engine) was still integrated into other products, most notably, Microsoft Office. Due to that still-existing integration, Fratric wondered how long it would take before attackers stopped abusing it.
December 8, 2022
Written by Liam Tung