Threat actors exploited Windows 0-day for more than a year before Microsoft fixed it

Threat actors carried out zero-day attacks that targeted Windows users with malware for more than a year before Microsoft fixed the vulnerability that made them possible, researchers said Tuesday.

The vulnerability, present in both Windows 10 and 11, causes devices to open Internet Explorer, a legacy browser that Microsoft decommissioned in 2022 after its aging code base made it increasingly susceptible to exploits. Following the move, Windows made it difficult, if not impossible, for normal actions to open the browser, which was first introduced in the mid-1990s.

Tricks old and new

Malicious code that exploits the vulnerability dates back to at least January 2023 and was circulating as recently as May this year, according to the researchers who discovered the vulnerability and reported it to Microsoft. The company fixed the vulnerability, tracked as CVE-2024-CVE-38112, on Tuesday as part of its monthly patch release program. The vulnerability, which resided in the MSHTML engine of Windows, carried a severity rating of 7.0 out of 10.

The researchers from security firm Check Point said the attack code executed “novel (or previously unknown) tricks to lure Windows users for remote code execution.” A link that appeared to open a PDF file appended a .url extension to the end of the file, for instance, Books_A0UJKO.pdf.url, found in one of the malicious code samples.

When viewed in Windows, the file showed an icon indicating the file was a PDF rather than a .url file. Such files are designed to open an application specified in a link.

A link in the file made a call to msedge.exe, a file that runs Edge. The link, however, incorporated two attributes—mhtml: and !x-usc:—an “old trick” threat actors have been using for years to cause Windows to open applications such as MS Word. It also included a link to a malicious website. When clicked, the .url file disguised as a PDF opened the site, not in Edge, but in Internet Explorer.

“From there (the website being opened with IE), the attacker could do many bad things because IE is insecure and outdated,” Haifei Li, the Check Point researcher who discovered the vulnerability, wrote. “For example, if the attacker has an IE zero-day exploit—which is much easier to find compared to Chrome/Edge—the attacker could attack the victim to gain remote code execution immediately. However, in the samples we analyzed, the threat actors didn’t use any IE remote code execution exploit. Instead, they used another trick in IE—which is probably not publicly known previously—to the best of our knowledge—to trick the victim into gaining remote code execution.”

IE would then present the user with a dialog box asking them if they wanted to open the file masquerading as a PDF. If the user clicked “open,” Windows presented a second dialog box displaying a vague notice that proceeding would open content on the Windows device. If users clicked “allow,” IE would load a file ending in .hta, an extension that causes Windows to open the file in Internet Explorer and run embedded code.

“To summarize the attacks from the exploitation perspective: the first technique used in these campaigns is the “mhtml” trick, which allows the attacker to call IE instead of the more secure Chrome/Edge,” Li wrote. “The second technique is an IE trick to make the victim believe they are opening a PDF file, while in fact, they are downloading and executing a dangerous .hta application. The overall goal of these attacks is to make the victims believe they are opening a PDF file, and it is made possible by using these two tricks.”

The Check Point post includes cryptographic hashes for six malicious .url files used in the campaign. Windows users can use the hashes to check if they have been targeted.