Resurrecting Internet Explorer -- the nasty threat impacting potentially millions of Windows 10 and 11 users

Check Point Research (CPR) has identified a critical zero-day spoofing attack exploiting Microsoft Internet Explorer on modern Windows 10/11 systems, despite the browser's retirement.

Identified as CVE-2024-38112, this vulnerability allows attackers to execute remote code by tricking users into opening malicious Internet Shortcut (.url) files. This attack method has been active for over a year and could potentially impact millions.

The exploit involves tricking users into clicking .url files that unexpectedly force Internet Explorer to navigate to a harmful URL. Attackers use a sophisticated trick to mask the malicious .hta extension, making use of the outdated security of Internet Explorer to compromise systems running updated Windows operating systems.

Historically, .url files have been a common vector for initiating attacks, with recent vulnerabilities like CVE-2023-36025, patched last November, using similar tactics. Despite Microsoft replacing Internet Explorer with the more secure Edge browser and users commonly opting for Google Chrome, this exploit targets the remains of Internet Explorer.

The attack works by misleading victims into thinking they are opening a PDF, while actually connecting them to an attacker-controlled website via Internet Explorer. This allows the attackers to employ further deceptive methods to execute malicious code.

You can read more about the exploit here. As always, the trick to avoid this kind of threat is to make sure you know what you’re clicking on and always ensure Windows is fully up to date.