Updated 07/11 with Microsoft comments and resolution to prior update issue.
Microsoft Windows users are suddenly at risk from a “previously unknown” trick to attack their PCs. This threat is now being actively exploited through a hidden vulnerability on your system, one that has just been patched by Microsoft.
The research team at Check Point warns that “attackers are using special Windows Internet Shortcut files, which, when clicked, call the retired Internet Explorer (IE) to visit the attacker-controlled URL… By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.”
The threat is serious enough that the US government has just added it to its Known Exploit Vulnerability catalog, warning that Microsoft Windows contains “a spoofing vulnerability that has a high impact to confidentiality, integrity, and availability.”
CISA, the government’s cybersecurity agency has mandated all Windows systems in use by federal employees be updated or shut down within 21-days, by July 30. Given that Check Point reports that “threat actors have been using the attacking techniques for quite some time,” it is critical that all organizations also apply CISA’s mandate.
We have seen another CISA July Windows update mandate already this month. But this time around, the first known exploits date back more than a year—which is an alarming length of time for an exposure to be out in the wild.
Microsoft publicly acknowledged this vulnerability had been exploited in its July update; a spokesperson told me “we greatly appreciate [Check Point’s] Haifei Li for this research and for responsibly reporting it under a coordinated vulnerability disclosure. Customers who have installed the update are already protected.”
Many Windows users will be understandably unhappy this is possible, with IE long retired. “IE is an outdated web browser and was known well for its insecurity,” Check Point says, albeit “IE is still part of the Windows OS.” Users should not be able to open URLs with IE unless specifically asked to do so. But, “with the mhtml trick,” a victim clicks a link thinking its to open a PDF, not an IE shortcut.
This vulnerability—CVE-2024-38112—isn’t the only Microsoft Windows patch to make CISA’s list with a July 30 deadline. The government has also added CVE-2024-38080, warning that “Microsoft Windows Hyper-V contains a privilege escalation vulnerability that allows a local attacker with user permissions to gain SYSTEM privileges.” Updating Windows now will clearly address both, as well as a further 137 patches in Microsoft’s bulging July update.
Check Point’s Eli Smadja describes the exploit they discovered as “especially surprising… leveraging Internet Explorer, which many users may not realize is even on their computer, to execute their attack,” adding that “all Windows users [should] immediately apply the Microsoft patch to protect themselves.”
This report should also give Windows 10 holdouts pause for thought ahead of its end of life next October, at which point it will not receive regular security updates such as this unless you opt for a new, paid plan. The latest stats suggest Microsoft may finally be making some headway pushing users to upgrade, which is welcome.
It’s a busy time for Windows updates. In parallel, users are now being inundated with news of July’s patched zero-days, mandatory Windows 11 updates to maintain access to security fixes (such as these), and the ongoing pressure to switch from 10 to 11.
And given this is Windows it isn’t always smooth running. Microsoft has just resolved an issue from its June Windows security update, where “devices might fail to start; affected systems might restart repeatedly and require recovery operations in order to restore normal use.” This prompted some updates to be dropped.
Per Bleeping Computer, “this fix comes after Redmond was forced to pull the update on June 27 after reports that it was causing some Windows devices to restart repeatedly while others failed to start altogether… The same update also causes the taskbar to freeze or stop displaying correctly on systems running the Windows N edition or with the ‘Media Features’ feature turned off.”
This issue hit late last month just as the last CISA mandatory Windows update to July 4 approached, with some users unable to update. Initially it seemed this might affect a wide range of users, before it became clear that the issue primarily impacted devices using virtualized machines or features, but caused a fair amount of interruption to the monthly update process.
Fortunately, nothing like that as yet this time around—but watch this space…