Microsoft’s notorious Internet Explorer has been brought out of retirement by threat actors using its security holes to serve malware.
The team at Check Point Research said it spotted a new attack in the wild which uses the ancient web browser as the delivery vehicle for malware infections. The process involves the use of a file which then calls and exploits IE to deliver the malware payload.
The researchers told CyberRisk Alliance that the attack will work on a standard Windows 11 installation without the need for any configuration changes.
“What's especially surprising is that this attack leverages Internet Explorer, which many users may not realize is even on their computer, to execute the attack,” said Check Point Research group manager Eli Smadja.
“And it has been ongoing for over a year and is still active today.”
The attack begins with a .url file disguised as an otherwise unassuming PDF. The target is delivered with the file believing it will be opened with Edge, Microsoft’s latest generation browser with beefed up security.
In reality, the .url file type directs Windows to open a URL with a browser, sort of like a bookmark or hyperlink that stands alone and can be shared.
Normally, the .url file would cause a webpage to be opened with Edge. In this case, however, the target URL is manipulated to exploit a concept first outlined in the CVE-2021-40444 security flaw. The ‘mhtml’ trick causes the URL to open the web page in Internet Explorer.
Though IE has long-since been phased out and formally retired in favor of the Chromium-based Edge browser, it remains part of Windows as a way to support specific legacy applications. Microsoft still maintains security updates, but even when it was the main browser on Windows, IE was notoriously prone to security vulnerabilities via its ActiveX plug-in system.
This is where the final step of the attack process takes place. The malicious URL executes a script which downloads and installs the malware payload. While Windows will issue dialogues warning about the file opening an outside application, these will often go unheeded by users who believe them to be standard for viewing a PDF.
“For concerned Windows users, we recommend being especially vigilant about .url files sent from untrusted sources,” noted Check Point researcher Haifei Li.
“As we’ve discussed, this type of attack requires a couple of warnings (user interactions) to succeed.”
Fortunately, there is a fix available. Check Point said that the July edition of the Patch Tuesday security updates contains a fix that prevents the .url file from automatically accessing and exploiting the vulnerable IE components.
