Microsoft fastened a Home windows zero-day vulnerability that has been actively exploited in assaults for eighteen months to launch malicious scripts whereas bypassing built-in security measures.
The flaw, tracked as CVE-2024-38112, is a high-severity MHTML spoofing challenge fastened in the course of the July 2024 Patch Tuesday safety updates.
Haifei Li of Test Level Analysis found the vulnerability and disclosed it to Microsoft in Could 2024.
Nonetheless, in a report by Li, the researcher notes that they’ve found samples exploiting this flaw way back to January 2023.
Web Explorer is gone, however not likely
Haifei Li found that risk actors have been distributing Home windows Web Shortcut Recordsdata (.url) to spoof legitimate-looking recordsdata, akin to PDFs, however that obtain and launch HTA recordsdata to put in password-stealing malware.
An Web Shortcut File is solely a textual content file that accommodates varied configuration settings, akin to what icon to point out, what hyperlink to open when double-clicked, and different data. When saved as a .url file and double-clicked, Home windows will open the configured URL within the default net browser.
Nonetheless, the risk actors found that they might power Web Explorer to open the required URL through the use of the mhtml:
URI handler within the URL directive, as proven beneath.
MHTML is a ‘MIME Encapsulation of Combination HTML Paperwork’ file, a expertise launched in Web Explorer that encapsulates a whole webpage, together with its photographs, right into a single archive.
When the URL is launched with the mhtml:
URI, Home windows routinely launches it in Web Explorer as a substitute of the default browser.
Based on vulnerability researcher Will Dormann, opening a webpage in Web Explorer provides further advantages to risk actors, as there are fewer safety warnings when downloading malicious recordsdata.
“First, IE will can help you obtain a .HTA file from the web with out warning,” defined Dormann on Mastodon.
“Subsequent, as soon as it is downloaded, the .HTA file will reside within the INetCache listing, however it would NOT explicitly have a MotW. At this level, the one safety the person has is a warning that “a web site” desires to open net content material utilizing a program on the pc.”
“With out saying which web site it’s. If the person believes that they belief “this” web site, that is when code execution occurs.”
Primarily, the risk actors reap the benefits of the truth that Web Explorer remains to be included by default on Home windows 10 and Home windows 11.
Regardless of Microsoft saying its retirement roughly two years again and Edge changing it on all sensible capabilities, the outdated browser can nonetheless be invoked and leveraged for malicious functions.
Test Level says that the risk actors are creating Web Shortcut recordsdata with icon indexes to make them seem as hyperlinks to a PDF file.
When clicked, the required net web page will open in Web Explorer, which routinely makes an attempt to obtain what seems to be a PDF file however is definitely an HTA file.
Nonetheless, the risk actors can disguise the HTA extension and make it seem like a PDF is being downloaded by padding the filename with Unicode characters so the .hta extension isn’t displayed, as proven beneath.
When Web Explorer downloads the HTA file, it asks for those who want to save or open it. If a person decides to open the file considering it is a PDF, because it doesn’t comprise the Mark of the Net, it would launch with solely a generic alert concerning the content material opening from a web site.
Because the goal expects to obtain a PDF, the person might belief this alert, and the file is allowed to run.
Test Level Analysis instructed BleepingComputer that permitting the HTA file to run would set up the Atlantida Stealer malware password-stealing malware on the pc.
As soon as executed, the malware will steal all credentials saved within the browser, cookies, browser historical past, cryptocurrency wallets, Steam credentials, and different delicate knowledge.
Microsoft has fastened the CVE-2024-38112 vulnerability by unregistering the mhtml:
URI from Web Explorer, so it now opens in Microsoft Edge as a substitute.
CVE-2024-38112 is just like CVE-2021-40444, a zero-day vulnerability that abused MHTML that North Korean hackers leveraged to launch assaults concentrating on safety researchers in 2021.