Zero-day vulnerability in Internet Explorer

As part of its latest Patch Tuesday, Microsoft has released patches for 142 vulnerabilities. Among them were four zero-day vulnerabilities. While two of them were already publicly known, the other two had been actively exploited by malicious actors.

Interestingly, one of these zero-days, which supposedly had been used to steal passwords for the past 18 months, was found in Internet Explorer. Yes — that same browser that Microsoft stopped developing back in 2015 and promised to definitively, absolutely, for-sure bury in February 2023. Unfortunately, the patient proved to be stubborn — resisting its own funeral.

Why Internet Explorer isn’t nearly as dead as we would all like

Last year, I wrote about what the latest attempt to kill off Internet Explorer actually entailed. I’ll just give a brief version here; you can find the full story at the link. With the “farewell” update, Microsoft didn’t remove the browser from the system but merely disabled it (and even then, not in all versions of Windows).

In practice, this means that Internet Explorer is still lurking within the system; users just can’t launch it as a standalone browser. Therefore, any new vulnerabilities found in this supposedly defunct browser can still pose a threat to Windows users — even those who haven’t touched Internet Explorer in years.

CVE-2024-38112: vulnerability in Windows MSHTML

Now let’s talk about the discovered vulnerability CVE-2024-38112. This is a flaw in the MSHTML browser engine, which powers Internet Explorer. The vulnerability has a rating of 7.5 out of 10 on the CVSS 3 scale, and a “high” severity level.

To exploit the vulnerability, attackers need to create a malicious file in an innocent-looking internet shortcut format (.url, Windows Internet Shortcut File), containing a link with the mhtml prefix. When a user opens this file, Internet Explorer — whose security mechanisms aren’t very good — is launched instead of the default browser.

How attackers exploited CVE-2024-38112

To better understand how this vulnerability works, let’s look at the attack in which it was discovered. It all starts with the user being sent an .url file with the icon used for PDFs and the double extension .pdf.url.

Inside the malicious .url file, you can see a link with the “vulnerable” mhtml prefix. The last two lines are responsible for changing the icon to the one used for PDFs. Source

Thus, to the user, this file looks like a shortcut to a PDF — something seemingly harmless. If the user clicks on the file, the CVE-2024-38112 vulnerability is exploited. Due to the mhtml prefix in the .url file, it opens in Internet Explorer rather than the system’s default browser.

Attempting to open the malicious file launches Internet Explorer. Source

The problem is that in the corresponding dialog box, Internet Explorer shows the name of the same .url file pretending to be a PDF shortcut. So it’s logical to assume that after clicking “Open”, a PDF will be displayed. However, in reality, the shortcut opens a link that downloads and launches an HTA file.

This is an HTML application, a program in one of the scripting languages invented by Microsoft. Unlike ordinary HTML web pages, such scripts run as full-fledged applications and can do a lot of things — for example, edit files or the Windows registry. In short, they’re very dangerous.

When this file is launched, Internet Explorer displays a not-so-informative warning in a format familiar to Windows users, which many will simply dismiss.

Instead of opening a PDF file, a malicious HTA (HTML Application) is launched, accompanied by an uninformative Internet Explorer warning. Source

When the user clicks “Allow”, infostealer malware is launched on the user’s computer, collecting passwords, cookies, browsing history, crypto wallet keys, and other valuable information stored in the browser, and sending them to the attackers’ server.

How to protect against CVE-2024-38112

Microsoft has already patched this vulnerability. Installing the update ensures that the trick with mhtml in .url files will no longer work, and such files will henceforth open in the more secure Edge browser.

Nevertheless, this incident once again reminds us that the “deceased” browser will continue to haunt Windows users for the foreseeable future. In that regard, it’s advisable to promptly install all updates related to Internet Explorer and the MSHTML engine. As well as to use reliable security solutions on all Windows devices.