Longstanding Windows Zero-Day Exploited for Over a Year
July 10, 2024
Microsoft recently addressed a zero-day vulnerability in Windows that had been actively exploited in attacks for a year and a half to execute malicious scripts while bypassing security features. This high-severity flaw, designated as CVE-2024-38112, was an MHTML spoofing issue that was fixed during the July 2024 Patch Tuesday security updates. The vulnerability was discovered by Haifei Li of Check Point Research, who reported it to Microsoft in May 2024. However, Li's report indicates that samples exploiting this flaw were found as far back as January 2023.
The threat actors exploited the flaw by distributing Windows Internet Shortcut Files (.url) that appeared to be legitimate files, such as PDFs, but actually downloaded and launched HTA files to install password-stealing malware. An Internet Shortcut File is a text file that contains various configuration settings. When saved as a .url file and double-clicked, Windows will open the configured URL in the default web browser. However, the threat actors discovered that they could force Internet Explorer to open the specified URL by using the mhtml: URI handler in the URL directive.
MHTML, or 'MIME Encapsulation of Aggregate HTML Documents' file, is a technology introduced in Internet Explorer that encapsulates an entire webpage, including its images, into a single archive. When the URL is launched with the mhtml: URI, Windows automatically launches it in Internet Explorer instead of the default browser. According to vulnerability researcher Will Dormann, opening a webpage in Internet Explorer provides additional benefits to threat actors, as there are fewer security warnings when downloading malicious files.
Dormann explained on Mastodon, 'First, IE will allow you to download a .HTA file from the internet without warning. Next, once it's downloaded, the .HTA file will live in the INetCache directory, but it will NOT explicitly have a MotW. At this point, the only protection the user has is a warning that a website wants to open web content using a program on the computer. Without saying which website it is. If the user believes that they trust this website, this is when code execution happens.'
The threat actors exploited the fact that Internet Explorer, despite being announced for retirement two years ago and replaced by Edge for all practical functions, is still included by default on Windows 10 and Windows 11 and can be invoked for malicious purposes. Check Point reported that the threat actors made Internet Shortcut files appear as links to a PDF file. When clicked, the specified web page opened in Internet Explorer, which then attempted to download what appeared to be a PDF file but was actually an HTA file. The threat actors managed to hide the HTA extension and make it appear like a PDF was being downloaded by padding the filename with Unicode characters so the .hta extension was not displayed.
When Internet Explorer downloaded the HTA file, it asked if the user wished to save or open it. If a user chose to open the file thinking it was a PDF, as it did not contain the Mark of the Web, it launched with only a generic alert about the content opening from a website. As the target expected to download a PDF, the user may have trusted this alert, and the file was allowed to run. Check Point Research informed that allowing the HTA file to run would install the Atlantida Stealer malware password-stealing malware on the computer. Once executed, the malware would steal all credentials stored in the browser, cookies, browser history, cryptocurrency wallets, Steam credentials, and other sensitive data.
Microsoft has resolved the CVE-2024-38112 vulnerability by unregistering the mhtml: URI from Internet Explorer, so it now opens in Microsoft Edge instead. Interestingly, CVE-2024-38112 is similar to CVE-2021-40444, a zero-day vulnerability that abused MHTML that North Korean hackers used to launch attacks targeting security researchers in 2021.
Related News
- Microsoft's July Security Update Exploited by Attackers, Patch for 139 Unique CVEs Released
- Russian APT28 Hackers Exploit Outlook Flaw to Hijack Exchange Accounts
Latest News
- Citrix Addresses Critical and High-Severity Bugs in NetScaler Product
- Emerging Ransomware Group Exploits Vulnerability in Veeam Backup Software
- New OpenSSH Vulnerability May Lead to Remote Code Execution
- Microsoft's July Security Update Exploited by Attackers, Patch for 139 Unique CVEs Released
- Blast-RADIUS Attack Exploits RADIUS Authentication Protocol Vulnerability
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.