Attackers operated for more than a year in Windows, allowing them to execute malicious code before Microsoft addressed the issue. The vulnerability, known by the identifier cve-2024-38112, affected both Windows 10 and Windows 11, requiring victims to open the outdated Internet Explorer browser, which was disabled in 2022.
Researchers from Check Point discovered that the malicious code exploiting this vulnerability was actively distributed from January 2023 to May 2024. Microsoft only corrected this issue last Tuesday as part of the monthly Patch Tuesday security updates. The vulnerability was rated as a 7.0 out of 10 in terms of severity and was located in the Mshtml engine in Windows.
The attack utilized novel methods to deceive Windows users into executing malicious code on their devices. One example involved a file named “Books_a0ujko.pdf.url,” appearing to be a PDF file but actually a link that would launch a specified application.
Upon execution, this file launched the Msedge.exe file, responsible for opening the Edge browser, but used attributes “Mhtml:” and “! X-USC:” to instead open Internet Explorer. This allowed attackers to exploit the unpatched vulnerabilities in IE to execute arbitrary code on the victim’s device.
Users who opened such a file would encounter an Internet Explorer dialog window prompting them to open a file disguised as a PDF. If the user agreed, a second dialog box would appear with a warning. Clicking “Allow” would result in Internet Explorer loading a file with the “.hta” extension, triggering the execution of the malicious code.
Haifai Lee, the researcher from Check Point, explained that the first attack technique involved using the Mhtml trick to launch Internet Explorer rather than the more secure Chrome or Edge browsers. The second technique involved tricking the user into believing they were opening a PDF file when in fact, they were executing a dangerous “.hta” file.
Researchers provided cryptographic hashes of six malicious “ums” files used in the identified malicious campaign. Windows users can use these hashes to determine if their devices were targeted in this attack.