Check Point sheds light on Windows MSHTML zero-day flaw

Check Point Software Technologies provided new details surrounding CVE-2024-38112, a Windows zero-day flaw it discovered that was fixed in this week's Patch Tuesday release but may have been under exploitation for more than a year.

CVE-2024-38112 is a spoofing vulnerability in the Windows MSHTML platform that was fixed as part of this month's Patch Tuesday. The vulnerability, which was granted a 7.5 CVSS score and has been exploited in the wild. In an advisory, Microsoft said that to exploit the flaw, "an attacker would have to send the victim a malicious file that the victim would have to execute."

Microsoft credited discovery of the vulnerability to Haifei Li, principal vulnerability researcher at Check Point. In a thread on X (formerly Twitter), Li said Microsoft gave Check Point timing for a patch but "released the patch earlier without notifying us." He added that, "Coordinated disclosure can't be just one-side coordination."

However, in a follow-up post, Li said Microsoft reached out to him and said the company "acknowledged the problem to me and hopefully the communications will be much better!" TechTarget Editorial contacted Microsoft and Check Point for additional comment on this miscommunication, but both parties declined to comment on the issue.

However, a Microsoft spokesperson shared the following statement in an email:

"We greatly appreciate Haifei Li for this research and for responsibly reporting it under a coordinated vulnerability disclosure," the statement read. "Customers who have installed the update are already protected. In this case the update was ready and released sooner than initially planned and we are working to ensure researchers are better informed of timeline changes going forward."

Check Point Research published a blog post on Tuesday evening, authored by Li, providing additional technical information surrounding CVE-2024-38112. Li wrote that unnamed threat actors would lure victims into clicking Windows Internet Shortcut files with a .URL extension name that "would call the retired Internet Explorer (IE) to visit the attacker-controlled URL" when clicked.

Although Internet Explorer is no longer officially supported, IE code is still present in the Windows OS, which allows the flaw to be exploited regardless of whether an IE app is installed on a Windows system.

"By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim's computer, although the computer is running the modern Windows 10/11 operating system," Li wrote.

In the cases observed by Check Point, threat actors created and distributed spoofed Windows Internet Shortcut Files that were crafted to look like PDFs but were malicious .HTA applications that allowed the attackers to gain remote code execution.

Li's blog post did not attribute the attacks to any specific threat actors and did not contain information about the identities of the targets. However, regarding threat activity, he wrote that the earliest malicious URL sample was discovered in January 2023 and the most recent was on May 13. "This suggests that threat actors have been using the attacking techniques for quite some time," Li said.

Eli Smadja, research group manager at Check Point, told TechTarget Editorial in an email that at least two campaigns "likely conducted by separate groups" were responsible for relevant threat activity, and that one threat actor utilizing the technique had a history of infostealer infections. Moreover, Smadja said Check Point is still investigating, but the primary motivation appears to be cybercrime-related.

"In mid-May 2024, we discovered that a threat actor previously responsible for Atlantida stealer infections had augmented their arsenal with new exploits," Smadja said. "This specific threat actor uses compromised WordPress sites to launch attacks through HTA and PowerShell files, ultimately deploying the Atlantida stealer onto victims' machines. This particular campaign predominantly targets users in Turkey and Vietnam."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.