18-Month Windows Flaw Exploited: Say Goodbye to MHTML Spoofing Mayhem!

Dodged a Spoof! Microsoft patches a pesky Windows flaw that masqueraded as PDFs to pilfer passwords. Sayonara, sneaky scripts! 🕵️‍♂️💻🔒 #CVE202438112

Hot Take:

Who knew that Internet Explorer could rise from the ashes like a pesky phoenix to haunt our cyber lives? Microsoft’s “Patch Tuesday” feels like a “Patch-It-Again-Tuesday” for a flaw that’s been the VIP pass for malware at the Windows party for over a year. Buckle up, folks, and let’s dive into the digital soap opera of vulnerabilities and nostalgia-induced threat vectors. IE, you’re the guest that just won’t leave.

Key Points:

  • Microsoft patched a zero-day vulnerability, CVE-2024-38112, actively exploited for 18 months to execute malicious scripts via old-school Internet Explorer.
  • The flaw involves MHTML spoofing, which allows attackers to use Internet Shortcut Files (.url) to masquerade as legit PDFs but actually download malware.
  • Internet Explorer, despite being retired, can still be called upon to perform less secure tasks, like opening potentially malicious HTA files with fewer warnings.
  • Attackers exploited Internet Explorer’s lax security to distribute the Atlantida Stealer malware, which goes after a treasure trove of sensitive data.
  • The vulnerability fix redirects MHTML URI handling to the more secure Microsoft Edge, showing that sometimes the best way to deal with a problem child is to send them to a tougher school.
Title: Microsoft MSHTML Remote Code Execution Vulnerability
Cve id: CVE-2021-40444
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 12/28/2023
Cve description: <p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.</p> <p>An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.</p> <p>Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.</p> <p>Please see the <strong>Mitigations</strong> and <strong>Workaround</strong> sections for important information about steps you can take to protect your system from this vulnerability.</p> <p><strong>UPDATE</strong> September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. Please see the FAQ for important information about which updates are applicable to your system.</p>

Title: Windows MSHTML Platform Spoofing Vulnerability
Cve id: CVE-2024-38112
Cve state: PUBLISHED
Cve assigner short name: microsoft
Cve date updated: 07/09/2024
Cve description: Windows MSHTML Platform Spoofing Vulnerability

Need to know more?

The Ghost of Browsers Past

Just when we thought Internet Explorer had been laid to rest in the "where are they now" file, it pops back up like a bad penny. It seems IE's spirit is strong enough to become a vessel for cyber shenanigans, and not the fun kind. The CVE-2024-38112 vulnerability allowed cyber nasties to dress up malware as a harmless PDF, delivered via the digital equivalent of a Trojan horse – a .url file. Who knew nostalgia could be so dangerous?

Shortcut to Trouble

The discovery by Haifei Li of Check Point Research is a bit like finding out your old Nokia phone can hack the Pentagon. Intriguing, but concerning. Attackers have been handing out booby-trapped Internet Shortcut files that download HTA files, which are basically the malware's version of a golden ticket, granting access to all the chocolate... I mean, data.

Internet Explorer's Last Hurrah

It turns out Internet Explorer was the digital equivalent of that uncle who brings fireworks to a family BBQ – a little bit exciting, but mostly just a safety hazard. By leveraging the mhtml: URI handler, attackers could bypass security features and even avoid the infamous "Mark of the Web" warning, which usually tells you when you're about to do something you'll regret.

The Art of Digital Deception

The threat actors behind this vulnerability were nothing if not crafty. They played a game of digital dress-up, padding filenames with Unicode characters to hide the HTA extension, and leading users to believe they were downloading a PDF. It's like thinking you're getting an autograph from your favorite celeb, only to find out you just signed up for a timeshare presentation.

Microsoft's Game of Whack-a-Mole

After an 18-month game of cyber whack-a-mole, Microsoft finally put the mallet down on this particular mole with a fix that redirects the MHTML handling to Edge. It's like telling the troublemaker in class to go sit with the honor students – a bit of a culture shock, but it just might work. And if nothing else, CVE-2024-38112 will go down in history as the vulnerability that made us all say, "Wait, Internet Explorer is still a thing?"

Tags: Atlantida Stealer malware, CVE-2024-38112, Internet Explorer vulnerability, MHTML spoofing, Patch Tuesday, Unicode obfuscation, Windows security update