Why Microsoft? Why?

Why does a legacy application that nobody ever uses anymore linger on a modern Microsoft operating system (OS) to haunt users?

As we mentioned in our article about July’s patch Tuesday, there is an actively exploited Microsoft Windows MSHTML Platform (the browser engine) spoofing vulnerability.

The baffling part of that vulnerability is that it allows an attacker to use a Windows internet shortcut file (.url) to load a malicious site in Internet Explorer (IE). It requires the target to open a malicious file sent by the attacker.

But if they can “social engineer” the victim into doing that, the malicious site will be opened in IE. For those that are not old enough to remember IE, it’s a legacy browser that Microsoft abandoned in 2015 in favor of Edge. And Edge was later completely rebuilt as a Chromium-based browser, but still called Edge.

Now, knowing how long it’s been since IE was abandoned, you can imagine how much more vulnerable it is when it’s used to visit a malicious site. Especially one that was specifically crafted to exploit unpatched vulnerabilities.

The vulnerability that was patched as part of July’s patch Tuesday was used as a zero-day, which means that cybercriminals were already using it before Microsoft was made aware of its existence. In this case, very likely for over a year.

According to researchers, the vulnerability listed as CVE-2024-38112 was used as part of an attack chain by the advanced persistent threat (APT) group Void Banshee, which targets North American, European, and Southeast Asian regions for information theft and financial gain.

It exploits the vulnerability to drop information stealing malware in the target’s computer.

But how is it possible that attackers can abuse an app we’re usually not even aware is on our Windows 10 and 11 systems, to drop malware on them?

The threat actors used spear-phishing tactics to direct targets to ZIP files containing copies of books in PDF format, along with malicious files disguised as PDFs. The ZIP files were hosted on online libraries, cloud sharing sites, Discord, and compromised websites.

In fact, these files were .URL files which, in conjunction with Microsoft protocol handlers and URI schemas, were able to access the system-disabled IE browser.

A .URL file is a shortcut that points to a specific Uniform Resource Locator. When you double-click a URL file, your computer accesses the URL the file contains. URL files most often contain web addresses that use the https: protocol, however, in these attacks the criminals abused the MHTML protocol. This protocol is used to combine HTML code and its companion resources, such as images.

Microsoft has chosen to install IE 11 by default on Windows 10 even though support for the browser ended in 2022. It was “permanently” disabled during an update, but it’s still there and apparently not as “permanently” disabled as Microsoft claimed.

For starters, I feel installing IE by default on systems that are not likely to ever need it, is like handing a Rosetta Stone to everyone all over the world just in case they find some Egyptian hieroglyphs in the backyard. If anyone should ever feel the need to use IE, they can install it. In the best-case scenario, while having to click through several security warnings.

But in most cases, it will suffice to use the IE mode for Edge which contains some IE-specific functionality, but operates inside the Microsoft Edge sandbox, which provides enhanced security, when compared to IE 11.

Microsoft responded that:

Technically speaking, IE is still part of the Windows OS and is not inherently unsafe, as IE is still serviced for security vulnerabilities, and there should be no known exploitable security vulnerabilities.

This does not discard the fact that it’s much easier to find vulnerabilities for a browser that is no longer in use than for any modern browser. Even if the attacker would need a zero-day vulnerability.

And when you decide to install a weak link on a system, you should certainly make sure it doesn’t end up acting as a backdoor. A weak backdoor at that.

Come on Microsoft. You either remove the backdoor, or you make sure that it matches the security of the front door. Don’t let criminals install infostealers on our computers.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.