Researchers have discovered that threat actors exploited a Windows 10/11 vulnerability for a year before getting fixed by Microsoft. This zero-day attack was possible through the legacy Internet Explorer browser.
According to researchers from security firm Check Point, some bad actors have been leveraging a zero-day exploit present on the MSHTML engine of Windows 10 and 11 for more than a year. The attacks targeted Windows users through Microsoft’s legacy browser, Internet Explorer. The latter was retired back in June 2022 due to its ageing code, which made it very susceptible to exploits. Though it was completely replaced by the Chromium-based Edge browser, there were still ways to launch it.
The malicious code that exploits this vulnerability apparently dates back to at least January 2023. It used novel or previously unknown tricks to lure Windows users into remote code execution. This was done via a link disguised as a PDF file with a ‘.url’ extension at the end. For example, one of the samples was ‘Books_A0UJKO.pdf.url.
With this, unsuspecting users open what they think is a PDF file but are instead redirected to a malicious website or link that downloads or executes the attack payload. Since the nefarious link runs on the outdated Internet Explorer, many of the new security checks are unavailable to detect the threat.
While Windows’ security still pups up to warn users before launching the file, it’s totally understandable that many will not notice they are launching an HTML file and proceed to accept.
“From there (the website being opened with IE), the attacker could do many bad things because IE is insecure and outdated,” says Haifei Li, the Check Point researcher who discovered the vulnerability. “For example, if the attacker has an IE zero-day exploit – which is much easier to find compared to Chrome/Edge – the attacker could attack the victim to gain remote code execution immediately. However, in the samples we analysed, the threat actors didn’t use any IE remote code execution exploit. Instead, they used another trick in IE – which is probably not publicly known previously – to the best of our knowledge—to trick the victim into gaining remote code execution.”
The vulnerability, otherwise known as CVE-2024-CVE-38112, had a 7 out of 10 severity rating, but Microsoft has thankfully since fixed it. Better late than never.
