MSHTML Platform Spoofing Vulnerability
Key Information
- Vendor
- Microsoft
- Status
- Windows 10 Version 22h2
- Windows 11 Version 23h2
- Windows 10 Version 1507
- Windows 11 Version 22h2
- Vendor
- CVE Published:
- 9 July 2024
Badges
Summary
The MSHTML Platform Spoofing Vulnerability (CVE-2024-38112) affects Windows operating systems and is actively exploited by threat actors. It involves the use of Windows Internet Shortcut files to call the retired Internet Explorer (IE) to visit attacker-controlled URLs, allowing the attacker to gain significant advantages in exploiting the victim’s computer. The vulnerability triggers spoofing in the MSHTML rendering engine, which is crucial for rendering web content in Internet Explorer and other applications through embedded web browser controls. It allows attackers to deceive users into believing that malicious content originates from a trusted source, potentially leading to the disclosure of sensitive information or the installation of malware. The exploitation of this vulnerability is compounded by the inadequate handling and exposure of resources within the MSHTML library, allowing for unauthorized exposure and potentially malicious interactions. Microsoft has released a patch to address the vulnerability, and users are advised to apply it promptly to protect their systems.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-38112 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Windows 10 Version 22H2 < 10.0.19045.4651
Windows 11 Version 23H2 < 10.0.22631.3880
Windows 10 Version 1507 < 10.0.10240.20710
News Articles
Forbes CVE-2024-38112CVE-2024-30040Microsoft Windows Deadline—10 Days To Update Or Stop Using Your PC
Government issues emergency update warning for all Windows users, with existing security fixes likely “insufficient.”
1 month ago
Forbes CVE-2024-38112Microsoft Windows ‘Critical Vulnerability’ Warning—You Have 72 Hours To Update Your PC
Government warns users to update PCs by October 7 or stop using Windows.
2 months ago
CVE-2024-43461CVE-2024-38112Microsoft confirms IE zero-day exploited in sneaky update
Analysis Microsoft, in a low-key update to its September Patch Tuesday disclosures, has confirmed a just-fixed Internet Explorer vulnerability was exploited as a zero-day before it could be patched. Redmond...
2 months ago
EPSS Score
70% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 👾
Exploit exists.
- 🔥
Vulnerability reached the number 1 worldwide trending spot.
Vulnerability started trending.
First article discovered by Help Net Security
Vulnerability published.
Vulnerability Reserved.