marry 17.07.2024, 12:00 PM
Last week, Microsoft released patches for 142 vulnerabilities, among which were four zero-day vulnerabilities, two of which were already known to the public, and the other two were actively exploited in hacker attacks.
Interestingly, one of these zero days, which has been used to steal passwords for the past 18 months, was found in Internet Explorer, a browser that Microsoft stopped developing back in 2015.
However, with the “farewell” update, Microsoft did not remove the browser from the system, but only disabled it, and even then, not in all versions of Windows.
In practice, this means that Internet Explorer is still lurking inside the system even though users cannot launch it as a standalone browser. Because of this, any new vulnerabilities found in this broken browser can still pose a threat to Windows users, even those who haven’t opened Internet Explorer in years.
The vulnerability in question here is labeled CVE-2024-38112. It’s a bug in the MSHTML engine, which runs Internet Explorer. The vulnerability has a rating of 7.5 out of 10 on the CVSS 3 scale and a “high” level of severity.
To exploit the vulnerability, attackers must create a malicious file that contains a link with an mhtml prefix. When the user opens this file, Internet Explorer, whose security mechanisms are not very good, starts instead of the default browser.
How did attackers exploit CVE-2024-38112?
The attack starts by sending the user a .url file with an icon used for PDFs and a double .pdf.url extension. To the user, this file looks like a shortcut to a PDF, therefore, seemingly harmless. If the user clicks on the file, the CVE-2024-38112 vulnerability is exploited. Because of the mhtml prefix in the .url file, it opens in Internet Explorer, not the system’s default browser.
The problem is that in the corresponding dialog, Internet Explorer displays the name of the same .url file pretending to be a PDF shortcut. Therefore, it is logical to assume that after clicking “Open” the PDF will be displayed. However, in reality, the shortcut opens a link that downloads and runs the HTA file.
When this file is run, Internet Explorer displays a not-so-informative warning in a format familiar to Windows users, which many will simply dismiss.
When the user clicks “Allow”, the infostealer malware runs on the computer, collects passwords, cookies, browsing history, crypto wallet keys and other valuable information stored in the browser and sends them to the attacker’s server.
How to protect against CVE-2024-38112?
Microsoft has already patched this vulnerability. Installing the update ensures that the trick with mhtml in .url files no longer works, and that such files are opened in the more secure Edge browser.
However, this incident is yet another reminder that the “deceased” browser will continue to haunt Windows users for some time to come. Therefore, it is recommended that you immediately install all updates related to Internet Explorer and the MSHTML engine, as well as use reliable security solutions on Windows devices.
Source: Kaspersky
Photo: Nothing Ahead | Pexels
Source: www.informacija.rs
