CVE-2024-38112, a spoofing vulnerability in Windows MSHTML Platform for which Microsoft has released a fix on Tuesday, has likely been exploited by attackers in the wild for over a year, Check Point researcher Haifei Li has revealed.
“Check Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL,” he explained.
“By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.”
Leveraging the zero-day
A file specially crafted to exploit CVE-2024-38112 – e.g., Books_A0UJKO.pdf.url – would look as a benign file to most Windows users because it would point to a customized icon in the Microsoft Edge application file (msedge.exe) – in this case, an icon for PDF files.
The file (ab)uses the MHTML: URI handler to force Internet Explorer to open an attacker-controlled website, from which attackers could further the compromise.
“For example, if the attacker has an IE zero-day exploit – which is much easier to find compared to Chrome/Edge, the attacker could attack the victim to gain remote code execution immediately,” the researcher noted.
“However, in the samples we analyzed, the threat actors didn’t use any IE remote code execution exploit. Instead, they used another trick in IE – which is probably not publicly known previously – to the best of our knowledge – to trick the victim into gaining remote code execution.”
This trick allows the attackers to continue hiding the file’s true nature from the user who is intent on opening it by clicking through several pop-up warnings; the PDF file is actually a malicious HTA (HTML application) file, which executes and enables RCE.
IE pop-up shows only the PDF extension (Source: Check Point Research)
“The malicious .url samples we discovered could be dated back as early as January 2023 (more than one year ago) to the latest May 13, 2024 (…). This suggests that threat actors have been using the attacking techniques for quite some time,” the researcher noted.
Microsoft has been notified in May, and has now finally issued a patch, preventing URL files from triggering the MHTML: URI handler. Admins are advised to implement it quickly. Users are also advised to be careful when opening URL files from untrusted sources, and should not sail through OS security warnings without a careful perusal.
CISA has added CVE-2024-38112 to its Known Exploited Vulnerabilities (KEV) catalog, thus ordering US federal civilian executive branch agencies to apply the patch by July 30.
CVE-2024-38021: Another flaw to patch sooner rather than later
Morphisec researchers have warned that the patch for CVE-2024-38021 – a Microsoft Office vulnerability that can be exploited remotely and could lead to RCE – should also be implemented sooner rather than later.
Microsoft has given the flaw an “Important” severity rating, but they argue that it should be considered critical, “given its zero-click nature (for trusted senders) and lack of authentication requirements.”
The researchers will release technical details and a PoC for CVE-2024-38021 next month at the DEF CON 32 conference in Las Vegas, so get the patch before that.