Check Point Software Technologies has unveiled new information about CVE-2024-38112, a zero-day flaw in Windows that was recently patched as part of this month’s Patch Tuesday release. The vulnerability, which has been exploited in the wild, was discovered by Haifei Li, principal vulnerability researcher at Check Point.
According to Microsoft, the flaw is a spoofing vulnerability in the Windows MSHTML platform, with a CVSS score of 7.5. To exploit the vulnerability, an attacker would need to send a victim a malicious file that the victim would then have to execute.
In a thread on X (formerly Twitter), Li expressed some frustration with Microsoft’s handling of the patch release, stating that the company released the patch earlier than expected without notifying Check Point. However, Microsoft later reached out to Li to address the miscommunication and improve future coordination.
Technical Insights and Threat Actor Activities
Check Point Research published a blog post authored by Li, providing technical details about CVE-2024-38112. The post revealed that threat actors were using malicious Windows Internet Shortcut Files disguised as PDFs to gain remote code execution on victims’ machines.
Although Internet Explorer is no longer officially supported, the presence of its code in the Windows OS allows threat actors to exploit the flaw, even on systems without IE installed. The attacks observed by Check Point involved luring victims into clicking on .url files that would open the retired IE browser and visit an attacker-controlled URL.
While the identities of the threat actors remain unknown, Check Point’s research group manager, Eli Smadja, stated that at least two separate campaigns were likely responsible for the threat activity. One of the threat actors had a history of infostealer infections and targeted users in Turkey and Vietnam.
Overall, the discovery of CVE-2024-38112 highlights the ongoing challenges in cybersecurity and the importance of coordinated disclosure between researchers and vendors to protect users from potential exploits.
Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.
