Microsoft Patches Vulnerability Used to Exploit Discontinued Internet Explorer

Despite Microsoft ceasing support for Internet Explorer (IE), components of the browser persist within Windows 10/11 systems, allowing for potential access to content via certain methods. Cybersecurity firm CheckPoint recently uncovered a novel hacking technique that leverages these remnants for remote code execution. Specifically, attackers craft special Windows Internet shortcuts (.url files) that exploit a vulnerability by invoking IE.

Executing such an attack is somewhat cumbersome, as it involves multiple prompts to the user, who must click through several permissions for the attack to proceed.

Details of the Exploit:

To exploit the CVE-2024-38112 vulnerability, attackers create a specific URL shortcut using a special mhtml prefix and the `!x-usc:` protocol. This shortcut, disguised as a PDF file complete with an icon, deceives users into opening it, which then calls upon IE. A prompt then appears, asking if the user wishes to continue. If the user agrees, IE’s security sandbox prompts another warning about opening web content. Should the user permit, a malicious .hta file is downloaded.

Given the effort required for this attack, hackers might target corporate employees by masquerading the file as a quotation or payment receipt in emails.

Microsoft's Response:

CheckPoint traced malicious URL samples back to January 2023, with the latest instances found up to May 13, 2024—just days before their original report. After reporting the vulnerability to the Microsoft Security Response Center, Microsoft confirmed the issue and addressed it in a security update released on July 9, 2024.

To safeguard against potential exploits, users are urged to install the latest security updates promptly. CheckPoint's blog provides a detailed breakdown of the exploit method, and with the information now public, it's likely that more hackers will attempt to leverage this vulnerability, making timely updates crucial.

For those interested in the technical specifics, CheckPoint's original research can be found here: CheckPoint Research