In an update released December 2022, Microsoft patched a zero-day vulnerability that was exploited. A zero-day vulnerability refers to potential weak points in an update that could be exploited the day it is released. The fear is that someone could learn to exploit the new code quickly and perform harmful executions before the developers are aware of the flaw, and before they can work on a patch to fix it.
This vulnerability bypassed the security warnings that usually display and block a user when visiting a dangerous website. The attackers were able to use JavaScript files to block this Mark of the Web feature, then deliver dangerous malware.
In a successful phishing attempt, a user’s actions could result in the delivery of Magniber ransomware or Qbot malware payloads. Magniber is something of an alleged hacker group, and usually targets email addresses and user information. Qbot, meanwhile, is a well-known banking trojan designed to steal your financial information.
However, a user needed to interact with a clickable link in order to start this chain of events. This is often why we at SpireTech endlessly reiterate to be careful of what you click on, even if you consider yourself to be a savvy tech user.
Microsoft outlined three ways this vulnerability could have been exploited:
- Via a website designed by the hacker to violate your system
- Via an email or message to the user, with a clickable .url file attached
- Via other websites that are knowingly or unknowingly passing on the dangerous link
You’ll notice the user needs to choose to click on something every time. Be careful!
This vulnerability was found in late October and patched a few weeks ago, six or more weeks later. Microsoft did report the vulnerability to have been used but did not release a statement on the scope of that affected.