This Microsoft Windows warning affects more than a billion users
For Microsoft, July will not remain a good month on the security front. Those images of countless blue screens around the world will remain. And while the problem is with CrowdStrike, not Microsoft, appearances matter. The wall-to-wall break titles also make it all too easy to forget actual Windows threats lurking in the background for CrowdStrike pre-strike warnings. But such oblivion can be dangerous.
Earlier this month, before the blue screens of death began to take hold, both CheckPoint and Trend Micro reported that Windows 10 and 11 users were now at risk from a “previously unknown” threat that cleverly wakes up the code of Internet Explorer buried under the hoods of hundreds of millions of computers using wide-open security holes.
As Check Point warned on July 9, “attackers use special Windows Internet Shortcut files that, when clicked, call the deprecated Internet Explorer (IE) to visit a URL controlled by the attacker… By opening a URL with IE instead of the modern and very more secure Chrome/Edge browser in Windows, the attacker got significant advantages in exploiting the victim’s computer, even though the computer is running the modern Windows 10/11 operating system.
Then, just days later, Trend Micro raised the threat level, warning that the vulnerability “was used as a zero-day to access and execute files through disabled Internet Explorer using MSHTML… infect[ing] victim machines with the Atlantida info-stealer program, which focuses on stealing system information and sensitive data (such as passwords and cookies) from various applications.
After Check Point’s disclosure, the US government added the vulnerability to its catalog of known exploits, warning users that Windows has a “spoofing vulnerability that has a strong impact on privacy, integrity, and availability.”
The vulnerability has been patched, users just need to make sure their Windows PCs are updated. The CISA mandate means that US federal employees must apply this update by July 30 or stop using their computers. All other organizations—and even home users—should follow suit given the current Windows threat environment: According to Check Point, Trend Micro, and CISA, we know this vulnerability has been exploited in the wild. More worryingly, Check Point says these attacks have been going on for more than 12 months.
Microsoft publicly acknowledged that the vulnerability was exploited in its July update, telling me that “we very much appreciate [Check Point’s] Haifei Li for this research and responsible reporting in Coordinated Vulnerability Disclosure. Customers who have installed the update are now protected.
Check Point told me that the vulnerability is “particularly surprising … using Internet Explorer, which many users may not realize is even on their computer … All Windows users [should] apply the Microsoft patch immediately to protect yourself.
Ironically, CVE-2024-38112 isn’t the only Internet Explorer vulnerability to make CISA’s most dangerous list this month. CVE-2012-4792 also just surfaced — a specific warning about a “user-after-release” Internet Explorer memory vulnerability despite its end-of-life state. This time, CISA’s mandate is even clearer: “The affected product has expired and should be turned off if still in use.”
The pre-update risk to PC users is best summed up by Trend Micro, which describes it as “a prime example of how unsupported Windows relics are an overlooked attack surface that can still be exploited by threats to infect unsuspecting users with ransomware, backdoors, or as a conduit for other types of malware.”
This month’s Windows outage — for whatever reason — flooded the news cycle. While the CrowdStrike problem was painful and expensive, it is not a cyber threat in itself – although bad actors are now clearly taking advantage of the confusion. The quieter threat, according to CISA’s warning, is just the opposite; you won’t know you’ve been hit until it’s too late. So, make sure to apply the update if it is not already installed.
