Serious new Windows warning – with an update deadline
Updated 11/07 with comments from Microsoft and a fix for the issue with the previous update.
Microsoft Windows users are suddenly at risk from a “previously unknown” trick to attack their PCs. This threat is now actively exploiting a hidden vulnerability on your system, which has just been patched by Microsoft.
Check Point’s research team warns that “attackers are using special Windows Internet Shortcut files, which, when clicked, invoke the outdated Internet Explorer (IE) to visit the attacker-controlled URL… By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, even though the computer is running the modern Windows 10/11 operating system.”
The threat is so serious that the U.S. government has just added it to its catalog of known exploit vulnerabilities. The government warns that Microsoft Windows “contains a spoofing vulnerability that significantly impacts confidentiality, integrity, and availability.”
CISA, the government’s cybersecurity agency, has mandated that all Windows systems used by federal employees be updated or shut down within 21 days, no later than July 30. Given that Check Point reports that “threat actors have been using the attack techniques for some time,” it is critical that all organizations follow CISA’s mandate as well.
We’ve already seen another CISA July Windows update mandate this month. But this time, the first known exploits date back over a year, which is an alarming amount of time for an exposure to be in the wild.
Microsoft has publicly acknowledged that this vulnerability was exploited in the July update; a spokesperson told me, “We greatly appreciate it [Check Point’s] Haifei Li for this research and for responsibly reporting it under a coordinated vulnerability disclosure. Customers who have installed the update are already protected.”
Many Windows users will understandably be unhappy that this is possible, since IE was discontinued long ago. “IE is an outdated web browser and was notoriously insecure,” Check Point says, even though “IE is still part of the Windows operating system.” Users shouldn’t be able to open URLs with IE unless specifically prompted to do so. But “with the mhtml trick,” a victim clicks on a link thinking it’s a PDF to open, not an IE shortcut.
This vulnerability—CVE-2024-38112—isn’t the only Microsoft Windows patch on CISA’s list with a July 30 deadline. The agency also added CVE-2024-38080, warning that “Microsoft Windows Hyper-V contains a privilege escalation vulnerability that could allow a local attacker with user privileges to gain SYSTEM privileges.” Updating Windows now will clearly address both of those, as well as another 137 patches in Microsoft’s bloated July update.
Eli Smadja of Check Point describes the exploit they discovered as “particularly surprising… using Internet Explorer, which many users may not even realize is on their computer, to carry out their attack,” adding that “all Windows users [should] “They should immediately apply the Microsoft patch to protect themselves.”
This report should also give Windows 10 rejecters pause for thought ahead of its end-of-life date in October, when it will no longer receive regular security updates like this one unless you opt for a new, paid subscription. The latest stats suggest that Microsoft is finally making some progress in nudging users to upgrade, which is welcome.
It’s a busy time for Windows updates. At the same time, users are now being inundated with news about July’s patched zero-days, mandatory Windows 11 updates to retain access to security fixes (like this one), and the continued push to move from 10 to 11.
And this being Windows, things don’t always run smoothly. Microsoft just fixed an issue in the June Windows security update where “devices may fail to boot; affected systems may require repeated restarts and repair operations to return to normal operation.” This caused some updates to be removed.
Per Beeping computer“This fix comes after Redmond was forced to pull the update on June 27 following reports that it was causing some Windows devices to repeatedly reboot, while others would not boot at all… The same update also causes the taskbar to freeze or not display properly on systems running Windows N edition or with the Media Features feature disabled.”
This issue occurred late last month, just as CISA’s final mandatory Windows update for July 4th was approaching, with some users unable to update. It initially appeared that this would affect a broad range of users, before it became clear that the issue was primarily affecting devices with virtualized machines or roles, but it caused a significant disruption to the monthly update process.
Fortunately, nothing of the sort has happened this time, but watch this space…