Microsoft's Internet Explorer Gets Revived to Lure in Windows Victims

Check Point earlier this month discovered a remote code execution vulnerability, tracked as CVE-2024-38112, that impacts Microsoft Windows users and different versions of Windows Server.

The attackers used Windows Internet Shortcut files, which call on the retired Internet Explorer to visit a URL with a hidden malicious extension name and controlled by these threat actors. Because users are opening this URL with Internet Explorer, and not more secure browsers like Chrome or Edge, the threat actor has more advantages in exploiting the victim's device.

The threat actors also use a second method where they "make the victim believe they are opening a PDF file, while in fact, they are downloading and executing a dangerous .hta application," wrote the Check Point researchers.

The Cybersecurity and Infrastructure Security Agency (CISA) has added this high-severity vulnerability to its Known Exploited Vulnerabilities Catalog  Catalog, with its score of 7.5 due to its active exploitation, and mandated that all Windows systems within federal agencies must be updated or shut down by July 30.

Other research shows that of the roughly 500,000 endpoints running Windows 10 and 11, more than 10% of those devices are missing endpoint protection controls and almost 9% lack patch management controls, meaning that these organizations have a significant number of blind spots for attackers to exploit. 

Though Microsoft issued a patch on July 9, some exploits of this vulnerability date back more than a year ago, which means organizations need to act quickly in their mitigation efforts.