Researchers revealed that the recently patched Windows MSHTML vulnerability remained under attack for over a year before Microsoft could fix it. While the vulnerability has now received a patch, it remains crucial for all vulnerable systems to apply the fix and scan their systems for potential infiltration.
Windows MSHTML Vulnerability Exploit Works Against Windows 10, 11 Alike
According to Check Point Research (CPR), criminal hackers had exploited the recently fixed Windows MSHTML vulnerability for eighteen months.
As explained, the exploit worked because of the vulnerable “mhtml” trick that allowed the adversary to call Internet Explorer instead of Microsoft Edge.
While Microsoft has replaced the Internet Explorer browser with Microsoft Edge, ending support in 2022, it remains somewhat accessible on Windows 10 systems, where it was available at the time of OS launch. In fact, CPR observed the same behavior with the latest Windows 11 too, which makes even the most recent Windows systems vulnerable to the MSHTML attack.
Regarding the exploit, the researchers stated that the attackers used a previously unknown trick to lure users into opening maliciously crafted files. The trick allowed the attackers to create files with .url extensions, which would call Internet Explorer due to the use of mhtml: URI handler.
However, to evade detection, the attackers hid the “.url” extension, making the files appear as PDF files. Clicking the file would open the Internet Explorer browser, downloading an archive with the data-stealing malware from the attacker-controlled web page. While the process would generate several prompts that may alarm a savvy user, an average user may not pay attention to the prompts, eventually falling prey to the attack.
The researchers have explained the entire attack strategy in their post.
Microsoft Fixed The Vulnerability with July 2024 Patch Tuesday
Upon discovering the vulnerability, Check Point Research reported the matter to Microsoft in May 2024. In response, the tech giant patched the vulnerability with the July 2024 Patch Tuesday updates, disclosing the flaw as a zero-day.
Though the patch has arrived, the researchers still advise the users to remain cautious when opening .url files from untrusted sources.
Let us know your thoughts in the comments.