Unpatched for a year: Windows vulnerability puts users at risk
What's the story
Researchers from security firm Check Point, have discovered that threat actors have been exploiting a zero-day vulnerability in Windows, to target users with malware for over a year before Microsoft fixed it. The vulnerability, known as CVE-2024-CVE-38112, was present in both Windows 10 and Windows 11. It caused devices to open the decommissioned Internet Explorer (IE) browser. Malicious code exploiting this flaw has been circulating since at least January 2023 and remained active until May of this year.
Attack method
Novel tricks used to lure Windows users
The attack code executed "novel (or previously unknown) tricks to lure Windows users for remote code execution," according to Check Point researchers. One trick involved a link that appeared to open a PDF file but actually had a .url extension. The file displayed an icon indicating it was a PDF, not a .url file, when viewed in Windows. This deceptive method led users to unknowingly open malicious websites via IE.
Vulnerability exploitation
Internet Explorer's insecurity exploited by attackers
Check Point researcher Haifei Li explained the attacker could "do many bad things because IE is insecure and outdated." If an attacker had an IE zero-day exploit, which is easier to find in comparison to Chrome/Edge, they could attack victims to gain remote code execution immediately.
Fix
Microsoft fixes vulnerability in monthly patch release
Microsoft has addressed the zero-day vulnerability in its monthly patch release program. The vulnerability was located in the MSHTML engine of Windows and had a severity rating of 7.0 out of 10. Check Point provided cryptographic hashes for six malicious .url files used in the campaign, allowing Windows users to check whether they have been targeted by this exploit.