Check Point recently uncovered a remote code execution vulnerability, known as CVE-2024-38112, affecting Microsoft Windows users and various versions of Windows Server. The attackers exploited Windows Internet Shortcut files to trigger the retired Internet Explorer to access a URL with a hidden malicious extension under their control. By leveraging Internet Explorer instead of more secure browsers like Chrome or Edge, the threat actors gained an upper hand in compromising the victim’s device.
Deceptive Tactics and High-Severity Vulnerability
The attackers also employed a deceptive tactic where they tricked the victim into thinking they were opening a PDF file, when in reality, they were downloading and running a hazardous .hta application, as noted by the Check Point researchers. This high-severity vulnerability has been added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog with a severity score of 7.5 due to active exploitation. Federal agencies have been instructed to update or shut down all Windows systems by July 30 to mitigate the risk.
Analysis and Urgency
Further analysis reveals that out of approximately 500,000 endpoints running Windows 10 and 11, over 10% lack endpoint protection controls and nearly 9% do not have patch management controls in place. This leaves these organizations vulnerable to potential attacks. Despite Microsoft releasing a patch on July 9, some instances of exploitation of this vulnerability date back more than a year, emphasizing the urgency for organizations to take swift action in securing their systems.