{"id":33858,"date":"2024-07-16T22:51:55","date_gmt":"2024-07-16T11:51:55","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/zero-day-in-internet-explorer\/33858\/"},"modified":"2024-07-16T22:52:04","modified_gmt":"2024-07-16T11:52:04","slug":"zero-day-in-internet-explorer","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/zero-day-in-internet-explorer\/33858\/","title":{"rendered":"Zero-day vulnerability in Internet Explorer"},"content":{"rendered":"

As part of its latest Patch Tuesday, Microsoft has released<\/a> patches for 142 vulnerabilities. Among them were four zero-day vulnerabilities. While two of them were already publicly known, the other two had been actively exploited by malicious actors.<\/p>\n

Interestingly, one of these zero-days, which supposedly had been used to steal passwords for the past 18 months, was found in Internet Explorer. Yes \u2014 that same browser that Microsoft stopped developing back in 2015 and promised to definitively, absolutely, for-sure bury in February 2023. Unfortunately, the patient proved to be stubborn \u2014 resisting its own funeral.<\/p>\n

Why Internet Explorer isn\u2019t nearly as dead as we would all like<\/h2>\n

\nLast year, I wrote about what the latest attempt to kill off Internet Explorer actually entailed<\/a>. I\u2019ll just give a brief version here; you can find the full story at the link. With the \u201cfarewell\u201d update, Microsoft didn\u2019t remove the browser from the system but merely disabled<\/em> it (and even then, not in all versions of Windows).<\/p>\n

In practice, this means that Internet Explorer is still lurking within the system; users just can\u2019t launch it as a standalone browser. Therefore, any new vulnerabilities found in this supposedly defunct browser can still pose a threat to Windows users \u2014 even those who haven\u2019t touched Internet Explorer in years.<\/p>\n

CVE-2024-38112: vulnerability in Windows MSHTML<\/h2>\n

\nNow let\u2019s talk about the discovered vulnerability CVE-2024-38112. This is a flaw in the MSHTML browser engine, which powers Internet Explorer. The vulnerability has a rating of 7.5<\/a> out of 10 on the CVSS 3 scale, and a \u201chigh\u201d severity level.<\/p>\n

To exploit the vulnerability, attackers need to create a malicious file in an innocent-looking internet shortcut format (.url, Windows Internet Shortcut File), containing a link with the mhtml prefix. When a user opens this file, Internet Explorer \u2014 whose security mechanisms aren\u2019t very good \u2014 is launched instead of the default browser.<\/p>\n

How attackers exploited CVE-2024-38112<\/h2>\n

\nTo better understand how this vulnerability works, let\u2019s look at the attack<\/a> in which it was discovered. It all starts with the user being sent an .url file with the icon used for PDFs and the double extension .pdf.url.<\/p>\n

\"Contents<\/a>

Inside the malicious .url file, you can see a link with the \u201cvulnerable\u201d mhtml prefix. The last two lines are responsible for changing the icon to the one used for PDFs. Source<\/a><\/p><\/div>\n

Thus, to the user, this file looks like a shortcut to a PDF \u2014 something seemingly harmless. If the user clicks on the file, the CVE-2024-38112 vulnerability is exploited. Due to the mhtml prefix in the .url file, it opens in Internet Explorer rather than the system\u2019s default browser.<\/p>\n

\"Malicious<\/a>

Attempting to open the malicious file launches Internet Explorer. Source<\/a><\/p><\/div>\n

The problem is that in the corresponding dialog box, Internet Explorer shows the name of the same .url file pretending to be a PDF shortcut. So it\u2019s logical to assume that after clicking \u201cOpen\u201d, a PDF will be displayed. However, in reality, the shortcut opens a link that downloads and launches an HTA file.<\/p>\n

This is an HTML application<\/a>, a program in one of the scripting languages invented by Microsoft. Unlike ordinary HTML web pages, such scripts run as full-fledged applications and can do a lot of things \u2014 for example, edit files or the Windows registry. In short, they\u2019re very dangerous.<\/p>\n

When this file is launched, Internet Explorer displays a not-so-informative warning in a format familiar to Windows users, which many will simply dismiss.<\/p>\n

\"Launching<\/a>

Instead of opening a PDF file, a malicious HTA (HTML Application) is launched, accompanied by an uninformative Internet Explorer warning. Source<\/a><\/p><\/div>\n

When the user clicks \u201cAllow\u201d, infostealer malware is launched on the user\u2019s computer, collecting passwords, cookies, browsing history, crypto wallet keys, and other valuable information stored in the browser, and sending them to the attackers\u2019 server.<\/p>\n

How to protect against CVE-2024-38112<\/h2>\n

\nMicrosoft has already patched this vulnerability. Installing the update ensures that the trick with mhtml in .url files will no longer work, and such files will henceforth open in the more secure Edge browser.<\/p>\n

Nevertheless, this incident once again<\/a> reminds us that the \u201cdeceased\u201d browser will continue to haunt Windows users for the foreseeable future. In that regard, it\u2019s advisable to promptly install all updates related to Internet Explorer and the MSHTML engine. As well as to use reliable security solutions<\/a> on all Windows devices.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

A zero-day vulnerability actively exploited by attackers has been discovered in Internet Explorer \u2014 the browser that Microsoft supposedly laid to rest over a year ago. <\/p>\n","protected":false},"author":2726,"featured_media":33861,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,2993,2994],"tags":[1278,1171,25,38,3702,422,121,268,113],"class_list":{"0":"post-33858","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-browsers","11":"tag-exploits","12":"tag-internet-explorer","13":"tag-microsoft","14":"tag-password-theft","15":"tag-threats","16":"tag-updates","17":"tag-vulnerabilities","18":"tag-windows"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/zero-day-in-internet-explorer\/33858\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/zero-day-in-internet-explorer\/27716\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/zero-day-in-internet-explorer\/23031\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/zero-day-in-internet-explorer\/30382\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/zero-day-in-internet-explorer\/27882\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/zero-day-in-internet-explorer\/37868\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/zero-day-in-internet-explorer\/51698\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/zero-day-in-internet-explorer\/36749\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/zero-day-in-internet-explorer\/28028\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/zero-day-in-internet-explorer\/33523\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/vulnerabilities\/","name":"vulnerabilities"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/33858","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=33858"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/33858\/revisions"}],"predecessor-version":[{"id":33860,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/33858\/revisions\/33860"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/33861"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=33858"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=33858"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=33858"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}