According to a cybersecurity researcher, threat actors have been exploiting a vulnerability that leverages the fact that Internet Explorer (IE), which was retired in 2022, is still included by default in Windows 10 and Windows 11. The bug, designated CVE-2024-38112, is described as a high-severity MHTML spoofing flaw that, when exploited, could force IE to open, download, and install malware.
The same researcher who discovered the vulnerability in May 2024 reported that it had been actively exploited since January 2023. During this campaign, threat actors were observed distributing Windows Internet Shortcut Files (.url) disguised as legitimate PDF files with subjects of interest to the target.
Normally when a user opens a .url file, it will open the configured link in the user’s default browser. However, threat actors figured out that by invoking the MHTML URL handler, Windows would automatically open the link in IE, an unsupported browser that offers much fewer security warnings when attempting to reach potentially dangerous sites or downloading malicious files.
Targets that ignored these vague warnings and followed the links would ultimately download and install ‘Atlantida Stealer,’ a password-stealing malware capable of stealing credentials stored in the browser, cookies, browser history, cryptocurrency wallets, and other sensitive data.
Microsoft has addressed CVE-2024-38812 by binding MHTML to Edge instead of IE as part of its July 2024 ‘Patch Tuesday’ updates.
Source: Bleeping Computer
Analysis
This isn’t the first time threat actors have abused an MHTML-related vulnerability in a browser. For example, in 2021, the North Korean state-sponsored hacking group known as Lazarus leveraged a zero-day vulnerability in IE, which they exploited by sending MHTML files containing malicious JavaScript, to compromise cybersecurity and vulnerability researchers.
It's unclear why Microsoft still includes an unsupported browser in default installations of Windows 10 and 11. Regardless, this campaign shows how threat actors can identify and exploit outdated software left on systems intentionally or otherwise. While it’s fortunate that this vulnerability was discovered and responsibly disclosed to Microsoft who quickly patched it, threat actors are likely to continue achieving success with this exploit against targets using unpatched systems.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities in browsers like Internet Explorer. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities. Field Effect MDR users are automatically notified when vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly encourages organizations to discontinue using Internet Explorer and switch to a modern browser such as Chrome, Firefox, or Edge. Additionally, users should enable automatic updates to ensure their browser is protected from the latest security threats.
Related Articles