Nasty Spoofing Attack Resurrects Internet Explorer Vulnerability in Windows 10 and 11 (betanews.com) 21
Slashdot reader joshuark shared this report from BetaNews:
Check Point Research has identified a critical zero-day spoofing attack exploiting Microsoft Internet Explorer on modern Windows 10/11 systems, despite the browser's retirement.
Identified as CVE-2024-38112, this vulnerability allows attackers to execute remote code by tricking users into opening malicious Internet Shortcut (.url) files. This attack method has been active for over a year and could potentially impact millions... Attackers use a sophisticated trick to mask the malicious .hta extension, making use of the outdated security of Internet Explorer to compromise systems running updated Windows operating systems.
From Check Point Research: Even though IE has been proclaimed "retired and out-of-support," technically speaking, IE is still part of the Windows OS and is "not inherently unsafe, as IE is still serviced for security vulnerabilities, and there should be no known exploitable security vulnerabilities," according to our communications with Microsoft.
Identified as CVE-2024-38112, this vulnerability allows attackers to execute remote code by tricking users into opening malicious Internet Shortcut (.url) files. This attack method has been active for over a year and could potentially impact millions... Attackers use a sophisticated trick to mask the malicious .hta extension, making use of the outdated security of Internet Explorer to compromise systems running updated Windows operating systems.
From Check Point Research: Even though IE has been proclaimed "retired and out-of-support," technically speaking, IE is still part of the Windows OS and is "not inherently unsafe, as IE is still serviced for security vulnerabilities, and there should be no known exploitable security vulnerabilities," according to our communications with Microsoft.
Comment removed (Score:3, Interesting)
Re:end of life (Score:4, Insightful)
Most upgrades... aren't though.
For example, MacOS Preview worked quite well in 10.15. I open the same file in 14.5, and Preview can't even Find text that exists in the file that worked fine in 10.15 (and other errors too; 14.5 won't rotate a page for viewing for "protected" PDFs, because it treats it as an edit, rather than just a view. Worked fine in 10.15).
Consider all the other "features" that Microsoft is adding or deleting from Windows, like their ads in the start menu, changes to Notepad, changes to local account support, etc.
Higher version numbers are not necessarily "upgrades", they are just changes.
Re: (Score:1)
I think it's completely acceptable for businesses to not support retired software.
Fine.. then they must forfeit all copyrights and patents on said soft/hardware. It gives us a kind of "right to repair"
Software legacies (Score:5, Insightful)
Re:Software legacies (Score:5, Interesting)
The fact that Linux has so much trouble switching from X.org to Wayland should tell you.
This sentence doesn't actually make any sense.
X contains old crusty stuff. But we could have abandoned that stuff and used the parts we normally use all the time for a composited desktop and kept X. It would hardly have been X, but it also would have cut out all the stuff the maintainers (who are now the Wayland developers) didn't want to maintain.
Wayland isn't any faster than X.
Wayland's design isn't any more secure than X's, the maintainers simply didn't maintain the security parts of X and then complained that they didn't work. Well yeah, no kidding, they didn't keep them working.
Wayland doesn't actually work better than X. It's not more reliable and it doesn't have more functionality.
Linux is a kernel. The kernel isn't switching to Wayland.
If you meant Linux as a community, which you should have said, it's not clear that we all want to switch to Wayland, ever. It's not ever going to do all of the things X does, by design. I like those things. I don't want to switch, unless Wayland is redesigned to do those things.
Fifteen years later, Wayland still offers me no incentive to switch. That has literally nothing to do with the design of Linux.
Re: (Score:2)
Re: (Score:3)
It was believed that once Linux offered all the options that Windows users had grown accustomed to, there would be a mass exodus from the commercial world to the OSS world.
Yeah, but look, that's dumb. What people using Windows and thinking about switching want isn't Windows all over again, where you get cryptic error codes that you have to look up on documents that Microsoft has started hiding or destroying.* They want something different!
Wayland was designed to be particularly attractive to PC gamers, who used to complain about framerates and resolution issues and mouse and keyboard input standards and that their games didn't work in OpenGL, just DirectX etc.
Yeah, but that stuff all works with X now. I play games, I use controllers, it's all supported.** AMD graphics drivers sometimes lag, but of late the Nvidia binary drivers on Linux are up to date with the Windows drivers. And the old hardwar
Re: (Score:3)
What do you call an operating system that ships with DLLs dating back to the 90s? A stable ABI.
How to run MSIE (Score:5, Interesting)
MSIE is hidden on Windows 10 now, you can't run "iexplore.exe", but you can still access it.
Control Panel -> Internet Options -> Programs tab -> Manage Addons -> "Learn more about toolbars and extensions" link. That will start Internet Explorer.
Re:How to run MSIE (Score:5, Funny)
Or chant "I summon thee" three times.
change how .hta files are processed (Score:4, Interesting)
Way back in Win7, I "fixed" this issue by telling it that .hta (and several similar extensions) were TEXT files, and not executables. This was recommended back then, because of this sort of problem.
Apparently, no one learns.
Re:change how .hta files are processed (Score:4, Insightful)
If you think Windows can't be persuaded to execute text files, you haven't been paying attention.
Re: (Score:2, Flamebait)
Nobody thinks it can't.
In fact, most people capable of understanding the problem knows that these are text files that Windows is being persuaded to execute.
However, the mechanism being used is that they go through the OS' system for determining what to do with files based on their types. If you change the handling of the file types in question, they won't be used that way, and the attack will fail.
On the other hand, it will possibly break things in the OS itself as well. IME the different bits of windows ha
Microsoft was right (for once) (Score:2)
For decades we've been told by Microsoft they can't remove IE because it's part of the OS. And here we are. Looks like they were telling the truth after all. To our detriment.
Re: (Score:2)
Microsoft uses IE to display all kinds of stuff that used to be displayed by some other component in the past, so that they can use HTML formatted documents instead of windows help (.hlp) documents.
There's no good reason why they can't sub in some other browser engine, though.
Re: (Score:2)
> There's no good reason why they can't sub in some other browser engine, though.
As long as they can keep it updated.
file mapping (Score:2)
This kind of attack has been around for at least a few years. In my environment, I mapped mshtml and hta files to notepad. We basically never need these formats so having them open as text is not an issue.