Facepalm: Internet Explorer as a standalone application was officially "retired" by Microsoft in 2022. The Redmond corporation doesn't support IE in Windows anymore, but the ancient browser's engine is still included in the most recent releases of Windows 11. And it's a security risk that cyber-criminals still love to target in their campaigns.
The latest Patch Tuesday updates from Microsoft include a bugfix for a zero-day flaw in the Internet Explorer browser engine. Tracked as CVE-2024-38112, the vulnerability has been exploited by unknown criminals since January 2023 to trick users into running malicious code on local, unprotected machines.
First discovered by Check Point researchers, the CVE-2024-38112 flaw is described by Microsoft as a Windows MSHTML Platform Spoofing Vulnerability. Also known as Trident, MSHTML is the proprietary browser engine used by Internet Explorer. The browser cannot be used in Windows 11 anymore, but the aforementioned engine is still included with the OS, and Microsoft plans to support it at least until 2029.
CVE-2024-38112 has a severity rating of 7.0 out of 10, and requires additional actions by an attacker to guarantee a successful exploitation process. A threat actor would have to trick their victim into downloading and executing a malicious file, Microsoft warns, and users have seemingly been targeted, attacked and actually compromised for more than a year now.
IE's engine is insecure and outdated, Check Point analysts warn, and the zero-day exploits designed to target CVE-2024-38112 were using some clever tricks to masquerade what they were actually trying to achieve. The criminals used a malicious URL link that appeared to open a PDF document, which would then open the Edge browser (msedge.exe) in Internet Explorer mode.
After invoking MSHTML, the criminals could have abused some IE-related zero-day flaws to gain remote code execution privileges right away. However, the malicious samples discovered by Check Point didn't include any previously unknown flaw in the IE engine. Instead, they used another novel trick to open a dialog box and ask users to save a PDF file.
The PDF extension was used to masquerade a malicious HTA file, an executable program that is invoked from an HTML document and runs on Windows through a tool known as Microsoft HTML Application Host (mshta.exe). Indeed, the overall goal of the CVE-2024-38112 attacks is to make the victims believe they are opening a PDF file, Check Point says. The company discovered and hashed six malicious .url files used in the campaign, and Windows users are advised to install the latest Patch Tuesday updates as soon as possible.