www.helpnetsecurity.com
Open in
urlscan Pro
52.39.43.255
Public Scan
URL:
https://www.helpnetsecurity.com/2024/07/10/cve-2024-38112-cve-2024-38021/
Submission: On July 11 via api from TR — Scanned from DE
Submission: On July 11 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
POST
<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-298002 mc4wp-ajax" method="post" data-id="298002" data-name="Breaking news">
<div class="mc4wp-form-fields"><img decoding="async" class="aligncenter" title="OPIS" src="https://img2.helpnetsecurity.com/posts2024/devider.webp" alt="OPIS">
<img decoding="async" src="https://img2.helpnetsecurity.com/posts2024/newsletter_ad-550x98px_5.webp" class="aligncenter" alt="OPIS" title="OPIS">
<br>
<label>
<input type="email" name="EMAIL" size="35" placeholder="Please enter your e-mail address" required="">
</label> <input type="submit" value="Subscribe">
<p></p>
<p>
<label>
<input type="checkbox" name="AGREE_TO_TERMS" value="1" required=""> I have read and agree to the <a href="https://www.helpnetsecurity.com/privacy-policy/#personalized" target="_blank" rel="noopener">terms & conditions</a>
</label>
<img decoding="async" class="aligncenter" title="OPIS" src="https://img2.helpnetsecurity.com/posts2024/devider.webp" alt="OPIS">
</p>
</div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
value="1720663838"><input type="hidden" name="_mc4wp_form_id" value="298002"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
<div class="mc4wp-response"></div>
</form>POST
<form id="mc4wp-form-2" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
<div class="mc4wp-form-fields">
<div class="hns-newsletter">
<div class="hns-newsletter__top">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__title">
<i>
<svg class="hic">
<use xlink:href="#hic-plus"></use>
</svg>
</i>
<span>Cybersecurity news</span>
</div>
</div>
</div>
</div>
<div class="hns-newsletter__bottom">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__body">
<div class="row">
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
<label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
</div>
</div>
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
<label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
</div>
</div>
</div>
</div>
<div class="form-check form-control-lg mb-3">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
<label class="form-check-label" for="mcs3">(IN)SECURE - monthly newsletter with top articles</label>
</div>
<div class="input-group mb-3">
<input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
<button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
</div>
<div class="form-check">
<input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
<label class="form-check-label" for="mcs4">
<span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms & conditions</a>
</span>
</label>
</div>
</div>
</div>
</div>
</div>
</div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
value="1720663838"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-2">
<div class="mc4wp-response"></div>
</form>Text Content
* News * Features * Expert analysis * Videos * Events * Whitepapers * Industry news * Product showcase * Newsletters * * * Please turn on your JavaScript for this page to function normally. Zeljka Zorz, Editor-in-Chief, Help Net Security July 10, 2024 Share ZERO-DAY PATCHED BY MICROSOFT HAS BEEN EXPLOITED BY ATTACKERS FOR OVER A YEAR (CVE-2024-38112) CVE-2024-38112, a spoofing vulnerability in Windows MSHTML Platform for which Microsoft has released a fix on Tuesday, has likely been exploited by attackers in the wild for over a year, Check Point researcher Haifei Li has revealed. “Check Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL,” he explained. “By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.” LEVERAGING THE ZERO-DAY A file specially crafted to exploit CVE-2024-38112 – e.g., Books_A0UJKO.pdf.url – would look as a benign file to most Windows users because it would point to a customized icon in the Microsoft Edge application file (msedge.exe) – in this case, an icon for PDF files. The file (ab)uses the MHTML: URI handler to force Internet Explorer to open an attacker-controlled website, from which attackers could further the compromise. “For example, if the attacker has an IE zero-day exploit – which is much easier to find compared to Chrome/Edge, the attacker could attack the victim to gain remote code execution immediately,” the researcher noted. “However, in the samples we analyzed, the threat actors didn’t use any IE remote code execution exploit. Instead, they used another trick in IE – which is probably not publicly known previously – to the best of our knowledge – to trick the victim into gaining remote code execution.” This trick allows the attackers to continue hiding the file’s true nature from the user who is intent on opening it by clicking through several pop-up warnings; the PDF file is actually a malicious HTA (HTML application) file, which executes and enables RCE. IE POP-UP SHOWS ONLY THE PDF EXTENSION (SOURCE: CHECK POINT RESEARCH) “The malicious .url samples we discovered could be dated back as early as January 2023 (more than one year ago) to the latest May 13, 2024 (…). This suggests that threat actors have been using the attacking techniques for quite some time,” the researcher noted. Microsoft has been notified in May, and has now finally issued a patch, preventing URL files from triggering the MHTML: URI handler. Admins are advised to implement it quickly. Users are also advised to be careful when opening URL files from untrusted sources, and should not sail through OS security warnings without a careful perusal. CISA has added CVE-2024-38112 to its Known Exploited Vulnerabilities (KEV) catalog, thus ordering US federal civilian executive branch agencies to apply the patch by July 30. CVE-2024-38021: ANOTHER FLAW TO PATCH SOONER RATHER THAN LATER Morphisec researchers have warned that the patch for CVE-2024-38021 – a Microsoft Office vulnerability that can be exploited remotely and could lead to RCE – should also be implemented sooner rather than later. Microsoft has given the flaw an “Important” severity rating, but they argue that it should be considered critical, “given its zero-click nature (for trusted senders) and lack of authentication requirements.” The researchers will release technical details and a PoC for CVE-2024-38021 next month at the DEF CON 32 conference in Las Vegas, so get the patch before that. I have read and agree to the terms & conditions Leave this field empty if you're human: More about * 0-day * Check Point * CVE * Internet Explorer * Morphisec * MS Office * vulnerability Share FEATURED NEWS * How AI-powered software spreads Russian disinformation on X * Zero-day patched by Microsoft has been exploited by attackers for over a year (CVE-2024-38112) * Google removes enrollment barrier for prospective Advanced Protection Program users eBook: CISO guide to password security SPONSORED * eBook: Cloud security skills * Download: The Ultimate Guide to the CISSP * eBook: Do you have what it takes to lead in cybersecurity? DON'T MISS * How AI-powered software spreads Russian disinformation on X * Zero-day patched by Microsoft has been exploited by attackers for over a year (CVE-2024-38112) * Google removes enrollment barrier for prospective Advanced Protection Program users * Diversifying cyber teams to tackle complex threats * How companies increase risk exposure with rushed LLM deployments Cybersecurity news Daily Newsletter Weekly Newsletter (IN)SECURE - monthly newsletter with top articles Subscribe I have read and agree to the terms & conditions Leave this field empty if you're human: © Copyright 1998-2024 by Help Net Security Read our privacy policy | About us | Advertise Follow us ×