XPost: alt.comp.os.windows-11, alt.comp.microsoft.windows

Microsoft fixed a Windows zero-day vulnerability that has been actively exploited in attacks for eighteen months to launch malicious scripts while bypassing built-in security features.

https://www.bleepingcomputer.com/news/security/windows-mshtml-zero-day-used-in-malware-attacks-for-over-a-year/

The flaw, tracked as CVE-2024-38112, is a high-severity MHTML spoofing
issue fixed during the July 2024 Patch Tuesday security updates.

Haifei Li of Check Point Research discovered the vulnerability and
disclosed it to Microsoft in May 2024.

However, in a report by Li, the researcher notes that they have discovered samples exploiting this flaw as far back as January 2023.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11, alt.comp.microsoft.windows

Isaac Montara wrote on 11.07.2024 03:34

However, in a report by Li, the researcher notes that they have discovered samples exploiting this flaw as far back as January 2023.

https://arstechnica.com/security/2024/07/threat-actors-exploited-windows-0-day-for-more-than-a-year-before-microsoft-fixed-it/

The researchers from security firm Check Point said the attack code
executed "novel (or previously unknown) tricks to lure Windows users for
remote code execution." A link that appeared to open a PDF file appended a
.url extension to the end of the file, for instance, Books_A0UJKO.pdf.url, found in one of the malicious code samples. https://www.virustotal.com/gui/file/c9f58d96ec809a75679ec3c7a61eaaf3adbbeb6613d667257517bdc41ecca9ae/details

When viewed in Windows, the file showed an icon indicating the file was a
PDF rather than a .url file. Such files are designed to open an application specified in a link.

A link in the file made a call to msedge.exe, a file that runs Edge. The
link, however, incorporated two attributes-mhtml: and !x-usc:-an "old
trick" threat actors have been using for years to cause Windows to open applications such as MS Word. It also included a link to a malicious
website. When clicked, the .url file disguised as a PDF opened the site,
not in Edge, but in Internet Explorer.

"From there (the website being opened with IE), the attacker could do many
bad things because IE is insecure and outdated," Haifei Li, the Check Point researcher who discovered the vulnerability, wrote. "For example, if the attacker has an IE zero-day exploit-which is much easier to find compared
to Chrome/Edge-the attacker could attack the victim to gain remote code execution immediately. However, in the samples we analyzed, the threat
actors didn't use any IE remote code execution exploit. Instead, they used another trick in IE-which is probably not publicly known previously-to the
best of our knowledge-to trick the victim into gaining remote code
execution."

IE would then present the user with a dialog box asking them if they wanted
to open the file masquerading as a PDF. If the user clicked "open," Windows presented a second dialog box displaying a vague notice that proceeding
would open content on the Windows device. If users clicked "allow," IE
would load a file ending in .hta, an extension that causes Windows to open
the file in Internet Explorer and run embedded code.

"To summarize the attacks from the exploitation perspective: the first technique used in these campaigns is the "mhtml" trick, which allows the attacker to call IE instead of the more secure Chrome/Edge," Li wrote. "The second technique is an IE trick to make the victim believe they are opening
a PDF file, while in fact, they are downloading and executing a dangerous
.hta application. The overall goal of these attacks is to make the victims believe they are opening a PDF file, and it is made possible by using these
two tricks."

The Check Point post includes cryptographic hashes for six malicious .url
files used in the campaign. Windows users can use the hashes to check if
they have been targeted.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11, alt.comp.microsoft.windows

I should add that IE is also still the basis of the WebBrowser
control used in VB6 and .Net. More recently there's been an Edge
version. But it's good to be aware that any program with a
built-in browser window is probably running an IE window. The
differences will be slight.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11, alt.comp.microsoft.windows

On 7/10/2024 10:34 PM, Isaac Montara wrote:

Microsoft fixed a Windows zero-day vulnerability that has been actively exploited in attacks for eighteen months to launch malicious scripts while bypassing built-in security features.

https://www.bleepingcomputer.com/news/security/windows-mshtml-zero-day-used-in-malware-attacks-for-over-a-year/

The flaw, tracked as CVE-2024-38112, is a high-severity MHTML spoofing
issue fixed during the July 2024 Patch Tuesday security updates.

Thanks. Interesting bug. I removed Edge, so this sample would show no
icon for me. I also took the following steps in the Registry, since I
don't expect
to have any use for MHTML files. (And the MS fix would disable them for
me anyway, as MS switches the association to Edge.)


Delete HKCR\.mht and .mhtml
Delete HKCR\mhtmlfile (requires taking ownership)
Delete HKCR\protocols\mhtml (requires taking ownership)

One could also export these keys first, just in case some unseen
dependency
shows up. But I opened the Metro version of system settings, which likes
to break more than anything else on Win10, and it works fine... So I'm not worried. :)

I don't see the point of an MHTML file these days. Supposedly it
puts all webpage files into a single package. But script and CSS can
already go into an HTML file.

For those who may not know or may have forgotten: HTA files are
HTML applications. They're run by mshta.exe, but they're essentially
a webpage with no security aside from a requirement that it must be
opened locally. And in all recent browsers, any number of images can
be encoded as base-64 and embedded via "data uri". I use that
technique myself. For example, I have an HTML file showing the signs
of various nutrient deficiencies in plant leaves. I encoded the images,
so that a single HTML file can display 8 or 10 pictures when it's opened.
Very useful.

HTAs: MS came up with HTAs in the IE5 era. ActiveX was being scorned. Security was an increasing issue. But corporate IT people were using
HTAs to write all sorts of utilities. An HTA allows a webpage to be
software, limited only by whatever dispatch COM libraries are registered locally. The only restriction is that it must be run on the local computer.

I've written and use HTAs to edit MSI files, show a folder full of thumbnail images, display Windows SDK help without an MSDN subscription,
as a frontend to a custom email storage database, and many other things.
It's basically the same idea as "apps" -- an HTML graphical UI backed by script. But super-charged by the ability to use COM objects AKA ActiveX.
WMI, WIA, MSI, FileSystemObject, SAPI... nearly anything can be done
via COM object scripting.

If you have no use for HTAs you can change the .hta extension handler
to something like Notepad for better safety. Though some MS utilities may
use HTAs.

It's true that IE is completely there in Win10.
HTAs are IE. IE can be instantiated by script. If ieframe.dll is replaced
with an older version then IE itself can still be run directly. I've
done that
myself. I replaced both versions of the file with a copy from Win10 20H2.
The reason is because I like IE11 as default browser. Then I also block it
from going online via firewall. The result is a zippy browser for opening
local webpages while thwarting things like fake help links in software
that don't actually open a help file but rather try to jump online. With
this
arrangement, I can't be tricked into opening a webpage.... Now if I
could just
remove the idiotic, yellow smiley face from the IE11 window handle then
I'd be happy. :)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)