Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Link to Story

Threat actors exploited Windows 0-day for more than a year before Microsoft fixed it

Accepted submission by Freeman at 2024-07-11 14:02:51 from the S.oftware L.eft O.pen W.indow dept.
News

Freeman [soylentnews.org] writes:

https://arstechnica.com/security/2024/07/threat-actors-exploited-windows-0-day-for-more-than-a-year-before-microsoft-fixed-it/ [arstechnica.com]

Threat actors carried out zero-day attacks that targeted Windows users with malware for more than a year before Microsoft fixed the vulnerability that made them possible, researchers said Tuesday.

The vulnerability, present in both Windows 10 and 11, causes devices to open Internet Explorer, a legacy browser that Microsoft decommissioned [windows.com] in 2022 after its aging code base made it increasingly susceptible to exploits. Following the move, Windows made it difficult, if not impossible, for normal actions to open the browser, which was first introduced in the mid-1990s.
[...]
The company fixed [microsoft.com] the vulnerability, tracked as CVE-2024-CVE-38112, on Tuesday as part of its monthly patch release program. The vulnerability, which resided in the MSHTML engine of Windows, carried a severity rating of 7.0 out of 10.

The researchers from security firm Check Point said the attack code executed “novel (or previously unknown) tricks to lure Windows users for remote code execution.” A link that appeared to open a PDF file appended a .url extension to the end of the file, for instance, Books_A0UJKO.pdf.url, found in one of the malicious code samples [virustotal.com].
[...]
“From there (the website being opened with IE), the attacker could do many bad things because IE is insecure and outdated,” Haifei Li, the Check Point researcher who discovered the vulnerability, wrote. “For example, if the attacker has an IE zero-day exploit—which is much easier to find compared to Chrome/Edge—the attacker could attack the victim to gain remote code execution immediately. However, in the samples we analyzed, the threat actors didn’t use any IE remote code execution exploit. Instead, they used another trick in IE—which is probably not publicly known previously—to the best of our knowledge—to trick the victim into gaining remote code execution.”
[...]
The Check Point post includes cryptographic hashes for six malicious .url files used in the campaign. Windows users can use the hashes to check if they have been targeted. [Article seemed to be missing this link to the Check Point article [checkpoint.com]]

Original Submission