Microsoft Corporation’s Patch Tuesday security update yesterday fixed 67 bugs, including two that have been actively exploited in zero-day attacks, and another two whose details became public.
The first zero-day vulnerability, CVE-2018-8174, is a remote code execution vulnerability in the Windows VBScript Engine, caused by an improper handling of objects in memory. Attackers can exploit this vulnerability to acquire the same user rights as the current legitimate user, and ultimately gain full control of an affected system.
BleepingComputer, citing researchers from Qihoo 360, reported last month that an APT group has been exploiting this bug in a complex attack that affects the latest versions of Internet Explorer and any other applications that use the IE kernel.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft explains in