Google releases details of CVE-2022-41128 vulnerability in Internet Explorer, exploited by ScarCruft hackers

[German]Security researchers at Google Threat Analysis Group (TAG) have published details of a (then 0-Day) vulnerability in Internet Explorer's JavaScript engine that was discovered on October 31, 2022. This 0-Day was probably actively exploited by North Korean hackers to attack targets in South Korea via compromised Word documents. The CVE-2022-41128 vulnerability will be closed with Microsoft's security updates for Windows on November 8, 2022 (Patchday).


0-day vulnerability discovered

Google's Threat Analysis Group (TAG) regularly searches for 0-day vulnerabilities in software that are exploited in the wild. At the end of October 2022, the team led by Benoît Sevens and Clément Lecigne came across such a vulnerability in Microsoft's Internet Explorer. A North Korean government-backed group (APT37, also known as ScarCruft, InkySquid, Reaper, and Ricochet Chollim) used the vulnerability to attack users in South Korea via malicious code embedded in documents.

Vulnerability patched in November 2022

These malicious documents exploited a (still unpatched in Oct. 2022) 0-day vulnerability CVE-2022-41128 in Internet Explorer's JScript engine. Within hours of discovering this 0-day vulnerability, security researchers reported it to Microsoft. As of November 8, 2022, Microsoft then closed this vulnerability (see Microsoft Security Update Summary (November 8, 2022)). The affected Windows updates from the November 2022 patchday (see links at the end of the article) protect users from these attacks.

Google TAG published details

Now, as of December 7, 2022, the Google team has disclosed its discovery in the blog post Internet Explorer 0-day exploited by North Korean actor APT37.This 0-day vulnerability was noticed because several users from South Korea uploaded on October 31, 2022 a Microsoft Office document with the title "221031 Seoul Yongsan Itaewon accident response situation (06:00).docx" to VirusTotal. Meanwhile, many virus scanners detect the malicious code (see the figure).

VirusTotal document

The document refers to the tragic incident in the Itaewon area of Seoul, South Korea. Many people died there during Halloween celebrations on October 29, 2022. The incident led to many reports in the media and the decoy in the form of the Word document exploits the great public interest in this event.

The document downloaded a rich text file (RTF) template from the Internet, which in turn retrieves remote HTML content. Since Office renders this HTML content using Internet Explorer (IE), this technique has been widely used to spread IE exploits via Office files since 2017 (e.g., CVE-2017-0199). Spreading IE exploits via this vector has the advantage that the attacked target/victim does not need to use Internet Explorer as the default browser or chain the exploit with an EPM sandbox escape.


Upon examining the suspect file, security researchers at Google Threat Analysis Group (TAG) determined that the attackers exploited a 0-day vulnerability in Internet Explorer's JScript engine (jscript9.dll file). A flawed JIT optimization issue that results in type confusion can be exploited to execute arbitrary code when rendering an attacker-controlled website.

The details of the analysis and the Indicators of Compromise (IoCs) are described in Google's blog post. The Google TAG reported the vulnerability to Microsoft on October 31, 2022, and it was given the designation CVE-2022-41128 on November 3, 2022. The vulnerability was then patched in a timely manner on November 8, 2022. (via)

Similar articles:
Microsoft Security Update Summary (November 8, 2022)
PPatchday: Windows 10-Updates (November 8, 2022)
Patchday: Windows 11/Server 2022-Updates (November 8, 2022)
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (November 8, 2022)

Cookies helps to fund this blog: Cookie settings

This entry was posted in browser, Security, Update, Windows and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *