December 9, 2022

According to Google’s Threat Analysis Group, North Korean state-sponsored hackers used a previously unknown zero-day vulnerability in Internet Explorer known as CVE-2022-41128 (CVSS score of 8.8) in one of Windows JavaScript scripting languages, JScript9, the JavaScript engine used in IE11, to target South Korean users with malware.

The flaw affected Windows 7 through Windows 11, as well as Windows Server 2008 until 2022.

According to a report from Google’s Threat Analysis Group (TAG) on Wednesday, researchers notified Microsoft about CVE-2022-41128 and the issue was patched “within a few hours.”

“This vulnerability requires that a user with an affected version of Windows accesses a malicious server. An attacker would have to host a specially crafted server share or website,” Microsoft warned at the time. Adding that an attacker would need to entice the intended victim into visiting a specially crafted server share or website to trigger the exploit.

Because Office renders HTML content using IE, the attackers distributed the IE exploit in an Office document. Because, even if Chrome is set as the default, Office defaults to the IE engine when it contacts HTML or web content, IE exploits have been delivered via Office since 2017.

After opening the document, an unknown payload would be delivered after downloading a rich text file (RTF) remote template that would render remote HTML using Internet Explorer. Despite the fact that Internet Explorer was officially retired in June and replaced by Microsoft Edge, Office continues to use the IE engine to execute the JavaScript that allows the attack.

The sources for this piece include an article in ZDNet.