July 10, 2024 at 12:08PM
Microsoft fixed a Windows zero-day vulnerability (CVE-2024-38112) used to exploit Internet Explorer and launch malicious scripts. Threat actors distributed Windows Internet Shortcut Files to spoof legitimate-looking files, tricking users into downloading and running HTA files disguised as PDFs. The flaw is fixed in July 2024 Patch Tuesday updates, directing mhtml: URIs to open in Microsoft Edge instead of Internet Explorer.
Key takeaways from the meeting notes:
– Microsoft fixed a high-severity MHTML spoofing issue, tracked as CVE-2024-38112, during the July 2024 Patch Tuesday security updates.
– The vulnerability, discovered by Haifei Li of Check Point Research, had been actively exploited by threat actors for at least 18 months prior to the fix.
– Threat actors had been distributing Windows Internet Shortcut Files (.url) to spoof legitimate-looking files, such as PDFs, and trick users into downloading and launching HTA files to install password-stealing malware.
– Threat actors were able to exploit Internet Explorer’s behavior to download and execute malicious HTA files, leveraging its default presence on Windows 10 and Windows 11 despite its retirement announcement.
– The vulnerability has been fixed by unregistering the mhtml: URI from Internet Explorer, ensuring that it now opens in Microsoft Edge instead.
In summary, the meeting notes highlight a serious long-standing vulnerability that Microsoft has addressed, involving a clever exploitation of Internet Explorer’s behavior to distribute and execute password-stealing malware.