Windows Patchday news: MSHTML 0-day vulnerability CVE-2024-38112 exploited by malware

Windows[German]A small addendum to the July 2024 patchday at Microsoft. With the security updates, Microsoft has also closed an MSHTML spoofing vulnerability. There was information that this vulnerability (CVE-2024-38112) was and is being exploited by malware. The vulnerability is in Internet Explorer components and there is currently controversy because ZDI classifies the vulnerability as more critical than Microsoft has done.


Advertising

The MSHTML vulnerability CVE-2024-38112

First, a brief review of the vulnerability from Microsoft's perspective. I had published some information about the vulnerability CVE-2024-38112 in the blog post Microsoft Security Update Summary (July 9, 2024), based on the Microsoft's information. This is a Windows MSHTML Platform Spoofing vulnerability that has been classified as "important" with a CVEv3 score of 7.5.

Microsoft states that an unauthenticated, remote attacker could exploit this vulnerability. He must trick his victim into opening an (HTML) file. Microsoft points out that in order to successfully exploit this vulnerability, an attacker would have to take "additional measures" to "prepare the target environment".

The abbreviation MSHTML stands for the Trident browser engine, which has taken over HTML rendering in Internet Explorer. But surely Internet Explorer has long since been removed from Windows (with a few exceptions) and replaced by the Edge browser? Not at all, Microsoft has deactivated Internet Explorer as a browser in Windows.

However, I pointed out in the blog post Windows 10: Microsoft disables Internet Explorer 11 on Feb. 14, 2023 on Feb. 14, 2023 that Internet Explorer 11 can probably never be completely removed from Windows 10. Only the GUI components will be deactivated – the Trident engine (MSHTML) will remain in Windows.

Patch in July 2024 and exploitation

In July 2024, Microsoft patched the vulnerability CVE-2024-38112 through Windows updates (see the links to the Windows updates at the end of the article, as well as the patches listed by Microsoft under the linked CVE). According to Microsoft, this vulnerability was exploited as a zero-day vulnerability. But the whole thing is said to be non-trivial.


Advertising

 CVE-2024-38112 in MSHTML exploited

I came across the above tweet from The Hacker News the other day, who disclose in this article that variants of the Atlantida campaign exploited the vulnerability in 2024 as part of the Void Banshee infection chains. Security researchers Peter Girnus and Aliakbar Zahravi are quoted as saying that the ability of APT groups like Void Banshee to exploit disabled services like [Internet Explorer] poses a significant threat to organizations worldwide.

Our colleagues at Bleeping Computer have already pointed out in this article on July 10, 2024 that the vulnerability CVE-2024-38112 has been exploited in malware attacks for over a year. Haifei Li from Check Point Research discovered the vulnerability and reported it to Microsoft in May 2024. The Check Point article here states that the oldest malware samples exploiting the vulnerability date back to January 2023. Fits once again.

Has Microsoft understood the vulnerability?

The topic came up again the other day, as the Zero Day Initiative (ZDI) doubts that Microsoft developers even understood the problem properly. ZDI simply accuses Microsoft of "another coordinated failure to disclose vulnerabilities", as The Register writes in this article.

The vulnerability found by Trend Micro's Zero Day Initiative in May and reported to Redmond was classified as a spoofing vulnerability. Exploitation has been confirmed, but ZDI has not been mentioned by Microsoft, it says. That's one thing, not awarding credits. But it looks like Microsoft didn't understand what the vulnerability meant, according to The Register.

The discovery from ZDI, on the other hand, claim that it is a remote code execution vulnerability, which would likely result in a more critical CVE rating. "They're saying that what we reported was just a defense-in-depth fix, but they're not telling us what that defense-in-depth fix really is," said Dustin Childs, head of threat detection at ZDI, in an exclusive interview with The Register. And further "I hate to say this, but it seems like they really have no idea what's going on with this patch," Childs is quoted as saying. Details can be found in The Register article – it's all messy again.

Similar articles:
Microsoft Security Update Summary (July 9, 2024)
Patchday: Windows 10/Server Updates (July 9, 2024)
Patchday: Windows 11/Server 2022-Updates (July 9, 2024)
Windows Server 2012 / R2 und Windows 7 (July 9, 2024)
Microsoft Office Updates (July 9, 2024)
Windows 11 update KB5040442 causes issues with Outlook 2021
Windows July 2024 updates break remote connections
Windows 10/11 updates (e.g. KB5040442) trigger Bitlocker queries (July 2024)
Windows Update July 2024: Are there issues with Radius authentications?
July 2024 security update KB5040427 crashes Windows 10/Server LPD printing service
Microsoft's fixes for various Windows bugs (July 2024)


Advertising

This entry was posted in Security, Update, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).