Exploit attempt blocked BLOCK C:\windows\system32\VBScript.dll

[bartonphelps]

It looks like MBAE is catching this, C:\windows\system32\VBScript.dll, about 50 unique workstations in the last hour. Not sure if I want to exempt it.

[GDN]

I can confirm this started in the last hour or so. 

In our case it happens when users try to print from a web-based application (through Word).

[bartonphelps]

Thank you, GDN.  I was able to confirm with a user that printing through a web-based application seemed to trigger the block, however printing was successful.

[MSV]

We are having a similar issue. Near 4:00 est exploit detection began blocking a number of vbscript based tools we use within Word as part of our document processing add-ins. Unfortunately we have had to disable exploit detection as it prevented Word from launching. I assume this was part of a definition update. Can anyone provides any details about the update that was released near this time?

[Arthi]

Hi All,

Thanks for your post. Can you please disable the following setting and see if that resolves your issue? 

Thanks.

[bartonphelps]

Unchecking that setting appears to have quieted things down.  Any idea what changed?

[bartonphelps]

I am seeing this again, Exploit attempt blocked BLOCK   C:\windows\system32\VBScript.dll

[Arthi]

Hi bartonphelps,

Is it Internet Explorer where you see these blocks?

[TSBG]

Hello, my company is also having these notifications they started yesterday, is Malwarebytes working on a fix?

[JimF]

My company is also seeing a few of these alerts starting yesterday around 5PM ET, but only on the few clients that auto-updated to Anti-Exploit Ver. 1.13.2.98.   The ones sill on 1.12.2.147 are not having the problem.  As far as I know the users haven't seen any issues themselves, but still working to confirm that.  I've opened up a case with support and have disabled the MBAE auto-update feature for now.  The alerts we're getting look like this:

8/28/2019 10:58:13 AM PCNAME 10.x.x.x     Exploit attempt blocked BLOCK                   Login    Internet Explorer                C:\Program Files\Internet Explorer\iexplore.exe Attacked application: C:\Program Files\Internet Explorer\iexplore.exe; Parent process name: explorer.exe; Layer: Application Hardening; API ID: 900; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

 

 

[JimF]

32 minutes ago, JimF said:

Modification to my initial thread... Some of the alerts we are getting show "C:\Windows\SysWOW64\vbscript.dll" like below, but others don't like in my original post.  Waiting on response from support.

8/28/2019 9:11:05 AM  PCNAME 10.x.x.x      Exploit attempt blocked BLOCK                C:\Windows\SysWOW64\vbscript.dll      Login    Internet Explorer             C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE Attacked application: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE; Parent process name: iexplore.exe; Layer: Application Hardening; API ID: 210; Address: ; Module: ; AddressType: ; StackTop: ; StackBottom: ; StackPointer: ; Extra:

 

 

 

 

[bartonphelps]

Hi Arthi,  requested log files have been uploaded as per Chris' instructions.  I'll try to reach out to him as well.  Thanks to you and the MBAE team working on this.

[Arthi]

Thank you all for your patience. We are looking into it.

[TechMom]

We are also seeing this issue from several of our clients but the Anti Exploit versions vary from  1.9., 1.12.2.14 and 1.13.2.98. All pc's are running windows 7 32bit and are at different patch levels. At this point there seems to be no rhyme or reason to what we are seeing. 

[Arthi]

It is because of the new version update - It is a metered release which is why only few machines have been updated and are affected now. I have pushed in a silent update to the affected machines, it typically does not require a reboot or restart of Malwarebytes Anti-Exploit service for it to take effect. But if you still see these blocks on any system, please restart the MBAE service.

The fix I pushed was to uncheck the following settings.

Apologize for the inconvenience caused. Thanks for your patience.

[TSBG]

Turning off the application hardening doesnt seem like a actual fix, do you know when malwarebytes will be fixing the issue? 

[bartonphelps]

I agree with TSBG.  My Evil Manager says this is an acceptable short term fix only.  Anyway to get us back to a version that doesn't soften?

[TSBG]

Arthi, can we get a update on the issue, and a ETA on the full resolution? Thank you! 

[Arthi]

Hi All,

I wanted to give you all some background on the VBScript protection and the issues it caused. In the recent past, we have come across many VBScript engine exploit attacks in the wild.
Refer 
https://blog.malwarebytes.com/threat-analysis/2018/05/internet-explorer-zero-day-browser-attack/
https://googleprojectzero.blogspot.com/2018/12/on-vbscript.html

The protection we introduced in the new version of MBAE 1.13 blocks these exploit attacks. This protection has been automatically enabled for a long time now in our consumer product. 
However, in Business environments, the usage of 3rd party plugins and extensions which still use this vulnerable VBScript library in legitimate cases is high, as we learnt this week with the false positives.
We had to turn off (not disable) the protection - meaning users can turn it back on if they want to restrict usage of this vulnerable library within their organization, considering good security practices.

We are trying to research and find a way to distinguish between these legitimate cases and the true exploit attacks. From our past research into this, there is not a lot to differentiate between the two, with these plugins behaving very similar to how an exploit would. 

Will keep you all posted.

Thank you. 

Edited August 31, 2019 by Arthi

[bartonphelps]

Thank you for the update and explanation.

[holmebrian]

our pcs are having the same issue but it looks like it is happening when opening IE. 
The newest version does uncheck the options and not show the issue but it is still not a fix just a work around.

I was wondering if there was an eta on a fix or what the status on this was for being fixed?

Thanks,

Brian

[Arthi]

This is applicable for both IE and Office.

On 8/30/2019 at 3:01 PM, Arthi said:

Hi All,

I wanted to give you all some background on the VBScript protection and the issues it caused. In the recent past, we have come across many VBScript engine exploit attacks in the wild.
Refer 
https://blog.malwarebytes.com/threat-analysis/2018/05/internet-explorer-zero-day-browser-attack/
https://googleprojectzero.blogspot.com/2018/12/on-vbscript.html

The protection we introduced in the new version of MBAE 1.13 blocks these exploit attacks. This protection has been automatically enabled for a long time now in our consumer product. 
However, in Business environments, the usage of 3rd party plugins and extensions which still use this vulnerable VBScript library in legitimate cases is high, as we learnt this week with the false positives.
We had to turn off (not disable) the protection - meaning users can turn it back on if they want to restrict usage of this vulnerable library within their organization, considering good security practices.

We are trying to research and find a way to distinguish between these legitimate cases and the true exploit attacks. From our past research into this, there is not a lot to differentiate between the two, with these plugins behaving very similar to how an exploit would. 

Will keep you all posted.

Thank you. 

 

[TSBG]

Hello, was this addressed? we don't appear to be having the issue any longer

[Arthi]

Hi TSBG,

Yes this has been fixed and released. You should not see it anymore. Thanks.

[bartonphelps]

Just to be clear, the fix was, still is,  to uncheck prevent loading of VB Script library?