As a part of its newest Patch Tuesday, Microsoft has launched patches for 142 vulnerabilities. Amongst them have been 4 zero-day vulnerabilities. Whereas two of them have been already publicly recognized, the opposite two had been actively exploited by malicious actors.
Apparently, one in all these zero-days, which supposedly had been used to steal passwords for the previous 18 months, was present in Web Explorer. Sure — that very same browser that Microsoft stopped growing again in 2015 and promised to definitively, completely, for-sure bury in February 2023. Sadly, the affected person proved to be cussed — resisting its personal funeral.
Why Web Explorer isn’t almost as useless as we’d all like
Final 12 months, I wrote about what the newest try and kill off Web Explorer really entailed. I’ll simply give a quick model right here; you’ll find the total story on the hyperlink. With the “farewell” replace, Microsoft didn’t take away the browser from the system however merely disabled it (and even then, not in all variations of Home windows).
In apply, which means Web Explorer continues to be lurking throughout the system; customers simply can’t launch it as a standalone browser. Due to this fact, any new vulnerabilities discovered on this supposedly defunct browser can nonetheless pose a risk to Home windows customers — even those that haven’t touched Web Explorer in years.
CVE-2024-38112: vulnerability in Home windows MSHTML
Now let’s discuss in regards to the found vulnerability CVE-2024-38112. It is a flaw within the MSHTML browser engine, which powers Web Explorer. The vulnerability has a score of seven.5 out of 10 on the CVSS 3 scale, and a “excessive” severity degree.
To take advantage of the vulnerability, attackers must create a malicious file in an innocent-looking web shortcut format (.url, Home windows Web Shortcut File), containing a hyperlink with the mhtml prefix. When a person opens this file, Web Explorer — whose safety mechanisms aren’t superb — is launched as an alternative of the default browser.
How attackers exploited CVE-2024-38112
To raised perceive how this vulnerability works, let’s take a look at the assault by which it was found. All of it begins with the person being despatched an .url file with the icon used for PDFs and the double extension .pdf.url.
Contained in the malicious .url file, you’ll be able to see a hyperlink with the “susceptible” mhtml prefix. The final two traces are answerable for altering the icon to the one used for PDFs. Supply
Thus, to the person, this file appears like a shortcut to a PDF — one thing seemingly innocent. If the person clicks on the file, the CVE-2024-38112 vulnerability is exploited. As a result of mhtml prefix within the .url file, it opens in Web Explorer somewhat than the system’s default browser.
Trying to open the malicious file launches Web Explorer. Supply
The issue is that within the corresponding dialog field, Web Explorer reveals the identify of the identical .url file pretending to be a PDF shortcut. So it’s logical to imagine that after clicking “Open”, a PDF will probably be displayed. Nevertheless, in actuality, the shortcut opens a hyperlink that downloads and launches an HTA file.
That is an HTML utility, a program in one of many scripting languages invented by Microsoft. In contrast to odd HTML internet pages, such scripts run as full-fledged functions and might do a variety of issues — for instance, edit recordsdata or the Home windows registry. Briefly, they’re very harmful.
When this file is launched, Web Explorer shows a not-so-informative warning in a format acquainted to Home windows customers, which many will merely dismiss.
As an alternative of opening a PDF file, a malicious HTA (HTML Utility) is launched, accompanied by an uninformative Web Explorer warning. Supply
When the person clicks “Permit”, infostealer malware is launched on the person’s pc, gathering passwords, cookies, shopping historical past, crypto pockets keys, and different beneficial info saved within the browser, and sending them to the attackers’ server.
The right way to shield in opposition to CVE-2024-38112
Microsoft has already patched this vulnerability. Putting in the replace ensures that the trick with mhtml in .url recordsdata will now not work, and such recordsdata will henceforth open within the safer Edge browser.
Nonetheless, this incident as soon as once more reminds us that the “deceased” browser will proceed to hang-out Home windows customers for the foreseeable future. In that regard, it’s advisable to promptly set up all updates associated to Web Explorer and the MSHTML engine. In addition to to make use of dependable safety options on all Home windows gadgets.
