THE BROWSER THAT WOULDN’T DIE — Threat actors exploited Windows 0-day for more than a year before Microsoft fixed it The goal of the exploits was to open Explorer and trick targets into running malicious code.
Dan Goodin – Jul 10, 2024 9:44 pm UTC EnlargeGetty Images reader comments 47
Threat actors carried out zero-day attacks that targeted Windows users with malware for more than a year before Microsoft fixed the vulnerability that made them possible, researchers said Tuesday.
The vulnerability, present in both Windows 10 and 11, causes devices to open Internet Explorer, a legacy browser that Microsoft decommissioned in 2022 after its aging code base made it increasingly susceptible to exploits. Following the move, Windows made it difficult, if not impossible, for normal actions to open the browser, which was first introduced in the mid-1990s. Tricks old and new
Malicious code that exploits the vulnerability dates back to at least January 2023 and was circulating as recently as May this year, according to the researchers who discovered the vulnerability and reported it to Microsoft. The company fixed the vulnerability, tracked as CVE-2024-CVE-38112, on Tuesday as part of its monthly patch release program. The vulnerability, which resided in the MSHTML engine of Windows, carried a severity rating of 7.0 out of 10.
The researchers from security firm Check Point said the attack code executed novel (or previously unknown) tricks to lure Windows users for remote code execution. A link that appeared to open a PDF file appended a .url extension to the end of the file, for instance, Books_A0UJKO.pdf.url, found in one of the malicious code samples.
When viewed in Windows, the file showed an icon indicating the file was a PDF rather than a .url file. Such files are designed to open an application specified in a link. Enlarge / Screenshot showing a file named Books_A0UJKO.pdf. The file icon indicates it’s a PDF.Check Point
A link in the file made a call to msedge.exe, a file that runs Edge. The link, however, incorporated two attributesmhtml: and !x-usc:an old trick threat actors have been using for years to cause Windows to open applications such as MS Word. It also included a link to a malicious website. When clicked, the .url file disguised as a PDF opened the site, not in Edge, but in Internet Explorer.
From there (the website being opened with IE), the attacker could do many bad things because IE is insecure and outdated, Haifei Li, the Check Point researcher who discovered the vulnerability, wrote. For example, if the attacker has an IE zero-day exploitwhich is much easier to find compared to Chrome/Edgethe attacker could attack the victim to gain remote code execution immediately. However, in the samples we analyzed, the threat actors didnt use any IE remote code execution exploit. Instead, they used another trick in IEwhich is probably not publicly known previouslyto the best of our knowledgeto trick the victim into gaining remote code execution.
IE would then present the user with a dialog box asking them if they wanted to open the file masquerading as a PDF. If the user clicked open, Windows presented a second dialog box displaying a vague notice that proceeding would open content on the Windows device. If users clicked allow, IE would load a file ending in .hta, an extension that causes Windows to open the file in Internet Explorer and run embedded code. Enlarge / Screenshot showing open IE window and IE-generated dialog box asking to open Books_A0UJKO.pdf file.Check Point Enlarge / Screenshot of IE Security box asking if user wants to “open web content” using IE.Check Point
To summarize the attacks from the exploitation perspective: the first technique used in these campaigns is the mhtml trick, which allows the attacker to call IE instead of the more secure Chrome/Edge, Li wrote. The second technique is an IE trick to make the victim believe they are opening a PDF file, while in fact, they are downloading and executing a dangerous .hta application. The overall goal of these attacks is to make the victims believe they are opening a PDF file, and it is made possible by using these two tricks.
The Check Point post includes cryptographic hashes for six malicious .url files used in the campaign. Windows users can use the hashes to check if they have been targeted. reader comments 47 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars