Internet Explorer zero-day stealthily targets Windows 10 and 11 users

So, you thought you’d seen the last of the insecure abomination that was the Internet Explorer web browser, huh? Think again.

What if I were to tell you that your installation of Windows 10 or 11 (including Server editions) still comes with Internet Explorer installed by default, despite it being ‘retired’ by Microsoft two years ago?

And, while we’re all in shocking-revelation mode, what if I were to tell you that Morpheus never uttered that infamous line in The Matrix, despite a million memes claiming he did?

Prepare for shock number three: security researchers have revealed a zero-day exploit that has been using Internet Explorer to install malware for at least a year.

Check Point reveals Internet Explorer zero-day exploit

A Check Point Research report titled Resurrecting Internet Explorer details how attackers were able to use a vulnerability in the MSHTML browser engine that powered Internet Explorer.

Catalogued as CVE-2024-38112, this zero-day spoofing vulnerability enabled attackers to weaponise Internet Shortcut files which called Internet Explorer to visit a malicious site.

“An additional trick on IE is used to hide the malicious .hta extension name,” the Check Point researchers said.

“By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.”

Microsoft included a fix for this vulnerability in the latest Patch Tuesday rollout, so you know what to do!

“We greatly appreciate Haifei Li [author of the Check Point report] for this research and for responsibly reporting it under a coordinated vulnerability disclosure,” Microsoft told me in a statement. “Customers who have installed the update are already protected.”

Industry reaction to IE exploit

“Given the extensive use of MSHTML across numerous applications, the potential reach and impact of this vulnerability are substantial, affecting a broad user base,” said Mike Walters, Co-Founder of Action1.

Walters warns that attackers can leverage CVE-2024-38112 for various malicious purposes, such as “redirecting users to cloned banking or e-commerce sites to steal credentials and financial information, conducting corporate espionage and causing widespread damage to the community”.

Microsoft quite rightly notes that the complexity required for successful exploitation of this vulnerability is high, but needless to say, that hasn’t stopped it from being deployed over the past 12 months or so.

Satnam Narang, Senior Staff Research Engineer at Tenable, said it could be “exploited by an unauthenticated, remote attacker if they convince a potential target to open a malicious file”.

Useful links:

Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.

NEXT UP