Security News > 2024 > July > Zero-day patched by Microsoft has been exploited by attackers for over a year (CVE-2024-38112)
CVE-2024-38112, a spoofing vulnerability in Windows MSHTML Platform for which Microsoft has released a fix on Tuesday, has likely been exploited by attackers in the wild for over a year, Check Point researcher Haifei Li has revealed.
"Check Point Research recently discovered that threat actors have been using novel tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files, which, when clicked, would call the retired Internet Explorer to visit the attacker-controlled URL," he explained.
Url - would look as a benign file to most Windows users because it would point to a customized icon in the Microsoft Edge application file - in this case, an icon for PDF files.
This trick allows the attackers to continue hiding the file's true nature from the user who is intent on opening it by clicking through several pop-up warnings; the PDF file is actually a malicious HTA file, which executes and enables RCE. IE pop-up shows only the PDF extension.
Microsoft has been notified in May, and has now finally issued a patch, preventing URL files from triggering the MHTML: URI handler.
Morphisec researchers have warned that the patch for CVE-2024-38021 - a Microsoft Office vulnerability that can be exploited remotely and could lead to RCE - should also be implemented sooner rather than later.
News URL
https://www.helpnetsecurity.com/2024/07/10/cve-2024-38112-cve-2024-38021/
Related news
- Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572) (source)
- Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039) (source)
- Qualcomm zero-day under targeted exploitation (CVE-2024-43047) (source)
- Ivanti fixes three CSA zero-days exploited in the wild (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381) (source)
- Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws (source)
- Actively exploited Firefox zero-day fixed, update ASAP! (CVE-2024-9680) (source)
- Week in review: Microsoft fixes two exploited zero-days, SOC teams are losing trust in security tools (source)
- CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094) (source)
- Fortinet FortiManager flaw exploited in zero-day attacks (CVE-2024-47575) (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-07-09 | CVE-2024-38112 | Unspecified vulnerability in Microsoft products Windows MSHTML Platform Spoofing Vulnerability | 7.5 |
| 2024-07-09 | CVE-2024-38021 | Unspecified vulnerability in Microsoft products Microsoft Outlook Remote Code Execution Vulnerability | 8.8 |