Microsoft lost 12% of its profit, windows

Zero-Day Exploit in Windows Targets Users for Over a Year

Quick Look:

  • Attackers exploited a zero-day flaw in Windows 10 and 11 via Internet Explorer.
  • The malware targeted users for over a year before Microsoft addressed it.
  • Techniques used included “mhtml” and an IE trick to deceive users.
  • Users should install updates promptly and be cautious of suspicious files.

Threat actors exploited a zero-day vulnerability in Windows operating systems, targeting users with malware for over a year before Microsoft addressed the issue. Windows 10 and 11 flaw allowed attackers to exploit a legacy browser, Internet Explorer (IE), which Microsoft had retired in 2022. Despite being phased out, the browser’s ageing codebase remained susceptible to exploits, offering a gateway for malicious activities.

The Hidden Danger in Internet Explorer

Microsoft’s decision to decommission Internet Explorer aimed to bolster security by transitioning users to more robust browsers like Edge and Chrome. However, this vulnerability made it possible for attackers to bypass these measures. The attack exploited an older method involving IE, capitalizing on its outdated infrastructure to execute malicious code. By tricking users into believing they were opening benign PDF files, the attackers managed to execute harmful .hta applications instead.

Unveiling the “MHTML” and “IE” Tricks

The attackers employed two main techniques to deceive Windows users. The first, known as the “mhtml” trick, enabled the calling of IE rather than the more secure Edge or Chrome browsers. The second involved an IE trick that misled users into thinking they were opening a PDF file. Instead, they were downloading and executing a dangerous application. This dual-pronged approach effectively masked the true nature of the threat, allowing it to spread undetected.

The Extent of the Threat

The malicious code, active since at least January 2023, was circulating as recently as May. Check Point researchers, who uncovered and reported the vulnerability to Microsoft, noted that the attack code utilized old and novel tricks. The vulnerability, identified as CVE-2024-CVE-38112, was assigned a severity rating of 7.0 out of 10. Microsoft addressed this flaw in their latest patch release, highlighting the critical nature of timely updates.

Deceptive Files and Dangerous Downloads

The attack notably involved a file named Books_A0UJKO.pdf.url, which appeared to be a PDF but was a .url file designed to open specific applications. Clicking this file calls msedge.exe, invoking IE instead of Edge. The link incorporated attributes that threat actors have used for years to manipulate Windows into opening applications like MS Word. This redirection to a malicious website allowed attackers to leverage IE’s vulnerabilities.

The Risk of Remote Code Execution

Once IE opened the malicious website, the attackers had various malicious opportunities. While they didn’t use any known IE remote code execution exploits in the analyzed samples, they employed another trick within IE to gain remote code execution. This previously unknown method underscores the ongoing risk posed by outdated software and the ingenuity of threat actors in exploiting such weaknesses.

Preventative Measures and User Vigilance

Windows users are urged to install the latest security updates promptly to mitigate the risks associated with this vulnerability. Additionally, users should be cautious when opening files from unknown sources, particularly those that appear to be PDFs but carry unusual extensions like .url. By staying informed and vigilant, users can protect themselves from similar exploits in the future.

Year-Long Exploit Highlights Update Importance

This prolonged exploitation of a zero-day vulnerability in Windows systems is a stark reminder of the importance of software updates and cybersecurity awareness. While Microsoft has addressed the issue, the creative methods employed by attackers highlight the need for ongoing vigilance. As technology continues to evolve, so do the tactics of those seeking to exploit it, making continuous learning and adaptation essential for maintaining security.

Sending
User Review
0 (0 votes)

RELATED POSTS

Leave a Reply