Microsoft Fixed Zero-Day Vulnerability in Windows 10 and Windows 11 Updates

TapTechNews July 11th news, in the cumulative updates of Windows 10 and Windows 11 systems released by Microsoft on Patch Tuesday in July, fixed the zero-day vulnerability with tracking number CVE-2024-38112.

This zero-day vulnerability was discovered by security expert Haifei Li (transliterated) from CheckPointResearch in January 2023. It is a highly serious MHTML spoofing problem. There is evidence that hackers have used this vulnerability to launch malicious attacks in the past 18 months and can bypass the security functions of Windows 10 and Windows 11 systems.

The expert found that network attackers distributed Windows Internet shortcut files (.url) to spoof seemingly legitimate files such as PDFs. Once users clicked on these files, they would download and start HTA to install password-stealing malware.

An Internet shortcut file is just a text file that contains various configuration settings such as what icon to display, what link to open when double-clicked, and other information. After saving as a.url file and double-clicking, Windows will open the configured URL in the default web browser.

However, attackers found that they could force Internet Explorer to open the specified URL by using the mhtml:URI handler in the URL instruction, as shown in the following figure:

TapTechNews note: MHTML is a kind of MIME encapsulation of aggregated HTML documents file, a technology introduced in Internet Explorer that can encapsulate an entire web page including images into a single file.

After attackers use mhtml:URI to start the URL, Windows will automatically start the URL in Internet Explorer instead of the default browser.

Will Dormann, a vulnerability researcher, said that opening a web page in Internet Explorer gives attackers additional benefits and there are fewer security warnings when downloading malicious files.

Although Microsoft announced the cessation of support for this browser as early as two years ago and replaced all its practical functions with Edge, this outdated browser can still be maliciously invoked and exploited.