Researchers revealed that the recently patched Windows MSHTML vulnerability was under attack for more than a year before Microsoft was able to fix it. Although the vulnerability has now been patched, it remains critical for all vulnerable systems to apply the fix and scan their systems for possible infiltration.
Windows MSHTML vulnerability exploit works against both Windows 10 and 11
According to Check Point Research (CPR), criminal hackers had been exploiting the newly fixed Windows MSHTML vulnerability for 18 months.
As explained, the exploit worked because of the vulnerable ‘mhtml’ trick that allowed the adversary to call Internet Explorer instead of Microsoft Edge.
Although Microsoft replaced the Internet Explorer browser with Microsoft Edge and will end support in 2022, it remains somewhat accessible on Windows 10 systems, where it was available at the time the operating system launched. CPR has observed the same behavior even on the latest Windows 11, making even the latest Windows systems vulnerable to the MSHTML attack.
Regarding the exploit, the researchers stated that the attackers used a previously unknown trick to trick users into opening maliciously crafted files. This trick allowed the attackers to create files with the .url extension, which would call Internet Explorer due to the use of mhtml:URI handler.
However, to evade detection, the attackers hid the “.url” extension, causing the files to appear as PDF files. Clicking on the file opens the Internet Explorer browser and downloads an archive of the data-stealing malware from the attacker-controlled web page. While the process generates several prompts that can alert a smart user, an average user may not pay attention to the prompts and end up falling prey to the attack.
The researchers have explained the entire attack strategy in their after.
Microsoft fixed the vulnerability with Patch Tuesday, July 2024
When Check Point Research discovered the vulnerability, Check Point Research reported the issue to Microsoft in May 2024. In response, the tech giant patched the vulnerability with the July 2024 Patch Tuesday updates, revealing the flaw as a zero-day.
Even though the patch is there, the researchers still advise users to remain cautious when opening .url files from unreliable sources.
Let us know your thoughts in the comments.
