Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Windows

Nasty Spoofing Attack Resurrects Internet Explorer Vulnerability in Windows 10 and 11 (betanews.com) 21

Slashdot reader joshuark shared this report from BetaNews: Check Point Research has identified a critical zero-day spoofing attack exploiting Microsoft Internet Explorer on modern Windows 10/11 systems, despite the browser's retirement.

Identified as CVE-2024-38112, this vulnerability allows attackers to execute remote code by tricking users into opening malicious Internet Shortcut (.url) files. This attack method has been active for over a year and could potentially impact millions... Attackers use a sophisticated trick to mask the malicious .hta extension, making use of the outdated security of Internet Explorer to compromise systems running updated Windows operating systems.

From Check Point Research: Even though IE has been proclaimed "retired and out-of-support," technically speaking, IE is still part of the Windows OS and is "not inherently unsafe, as IE is still serviced for security vulnerabilities, and there should be no known exploitable security vulnerabilities," according to our communications with Microsoft.
This discussion has been archived. No new comments can be posted.

Nasty Spoofing Attack Resurrects Internet Explorer Vulnerability in Windows 10 and 11

Comments Filter:
  • Comment removed (Score:3, Interesting)

    by account_deleted ( 4530225 ) on Saturday July 13, 2024 @02:38PM (#64623589)
    Comment removed based on user account deletion
    • Re:end of life (Score:4, Insightful)

      by ThosLives ( 686517 ) on Saturday July 13, 2024 @02:47PM (#64623613) Journal

      Most upgrades... aren't though.

      For example, MacOS Preview worked quite well in 10.15. I open the same file in 14.5, and Preview can't even Find text that exists in the file that worked fine in 10.15 (and other errors too; 14.5 won't rotate a page for viewing for "protected" PDFs, because it treats it as an edit, rather than just a view. Worked fine in 10.15).

      Consider all the other "features" that Microsoft is adding or deleting from Windows, like their ads in the start menu, changes to Notepad, changes to local account support, etc.

      Higher version numbers are not necessarily "upgrades", they are just changes.

    • by Anonymous Coward

      I think it's completely acceptable for businesses to not support retired software.

      Fine.. then they must forfeit all copyrights and patents on said soft/hardware. It gives us a kind of "right to repair"

  • Software legacies (Score:5, Insightful)

    by xack ( 5304745 ) on Saturday July 13, 2024 @03:02PM (#64623653)
    Operating systems have tons of tech debt, you only have to look through system32 to see .dll files from the 90s in Windows. And Linux is still using ideas from the 70s. The fact that Linux has so much trouble switching from X.org to Wayland should tell you. With Internet Explorer's case the fact that so many web apps were written using it means that even though we've taken a lot of effort to rewrite apps, there's still millions of IE only web sites on corporate intranets everywhere. And the fact that so many tech people were laid off it means that they won't be replaced. Microsoft is in a deep chasm because they want to modernize Windows by moving it to ARM and having AI bells and whistles, but Internet Explorer-baseed x86 ActiveX apps will mean that most companies won't bother. Expect more CVEs in the future, as there is the phenomenon of software ossification, where software has to stay broken because "fixing" it will break even more stuff.
    • Re:Software legacies (Score:5, Interesting)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Saturday July 13, 2024 @04:50PM (#64623781) Homepage Journal

      The fact that Linux has so much trouble switching from X.org to Wayland should tell you.

      This sentence doesn't actually make any sense.

      X contains old crusty stuff. But we could have abandoned that stuff and used the parts we normally use all the time for a composited desktop and kept X. It would hardly have been X, but it also would have cut out all the stuff the maintainers (who are now the Wayland developers) didn't want to maintain.

      Wayland isn't any faster than X.

      Wayland's design isn't any more secure than X's, the maintainers simply didn't maintain the security parts of X and then complained that they didn't work. Well yeah, no kidding, they didn't keep them working.

      Wayland doesn't actually work better than X. It's not more reliable and it doesn't have more functionality.

      Linux is a kernel. The kernel isn't switching to Wayland.

      If you meant Linux as a community, which you should have said, it's not clear that we all want to switch to Wayland, ever. It's not ever going to do all of the things X does, by design. I like those things. I don't want to switch, unless Wayland is redesigned to do those things.

      Fifteen years later, Wayland still offers me no incentive to switch. That has literally nothing to do with the design of Linux.

      • Wayland was part of a concerted effort to make Linux look and act like Windows desktops, aka "the year of the Linux desktop". It was believed that once Linux offered all the options that Windows users had grown accustomed to, there would be a mass exodus from the commercial world to the OSS world. Wayland was designed to be particularly attractive to PC gamers, who used to complain about framerates and resolution issues and mouse and keyboard input standards and that their games didn't work in OpenGL, just
        • It was believed that once Linux offered all the options that Windows users had grown accustomed to, there would be a mass exodus from the commercial world to the OSS world.

          Yeah, but look, that's dumb. What people using Windows and thinking about switching want isn't Windows all over again, where you get cryptic error codes that you have to look up on documents that Microsoft has started hiding or destroying.* They want something different!

          Wayland was designed to be particularly attractive to PC gamers, who used to complain about framerates and resolution issues and mouse and keyboard input standards and that their games didn't work in OpenGL, just DirectX etc.

          Yeah, but that stuff all works with X now. I play games, I use controllers, it's all supported.** AMD graphics drivers sometimes lag, but of late the Nvidia binary drivers on Linux are up to date with the Windows drivers. And the old hardwar

    • by Dwedit ( 232252 )

      What do you call an operating system that ships with DLLs dating back to the 90s? A stable ABI.

  • How to run MSIE (Score:5, Interesting)

    by Dwedit ( 232252 ) on Saturday July 13, 2024 @03:21PM (#64623671) Homepage

    MSIE is hidden on Windows 10 now, you can't run "iexplore.exe", but you can still access it.

    Control Panel -> Internet Options -> Programs tab -> Manage Addons -> "Learn more about toolbars and extensions" link. That will start Internet Explorer.

  • by WoodstockJeff ( 568111 ) on Saturday July 13, 2024 @03:23PM (#64623673) Homepage

    Way back in Win7, I "fixed" this issue by telling it that .hta (and several similar extensions) were TEXT files, and not executables. This was recommended back then, because of this sort of problem.

    Apparently, no one learns.

    • by zephvark ( 1812804 ) on Saturday July 13, 2024 @04:07PM (#64623741)

      If you think Windows can't be persuaded to execute text files, you haven't been paying attention.

      • Re: (Score:2, Flamebait)

        by drinkypoo ( 153816 )

        Nobody thinks it can't.

        In fact, most people capable of understanding the problem knows that these are text files that Windows is being persuaded to execute.

        However, the mechanism being used is that they go through the OS' system for determining what to do with files based on their types. If you change the handling of the file types in question, they won't be used that way, and the attack will fail.

        On the other hand, it will possibly break things in the OS itself as well. IME the different bits of windows ha

  • For decades we've been told by Microsoft they can't remove IE because it's part of the OS. And here we are. Looks like they were telling the truth after all. To our detriment.

    • Microsoft uses IE to display all kinds of stuff that used to be displayed by some other component in the past, so that they can use HTML formatted documents instead of windows help (.hlp) documents.

      There's no good reason why they can't sub in some other browser engine, though.

      • > There's no good reason why they can't sub in some other browser engine, though.

        As long as they can keep it updated.

  • This kind of attack has been around for at least a few years. In my environment, I mapped mshtml and hta files to notepad. We basically never need these formats so having them open as text is not an issue.

"The lesser of two evils -- is evil." -- Seymour (Sy) Leon

Working...