CVE-2024-38112: 
vulnerability analysis and mitigation

CVE-2024-38112 is a Windows MSHTML Platform Spoofing Vulnerability discovered in May 2024 by Trend Micro's Zero Day Initiative (ZDI). The vulnerability affects various versions of Windows 10 and allows attackers to access and execute files through the disabled Internet Explorer using MSHTML. This vulnerability was actively exploited as a zero-day by the APT group Void Banshee before being reported to Microsoft (Trend Research).

The vulnerability exploits the MHTML protocol handler and x-usc directives through internet shortcut (URL) files to execute malicious code through the disabled Internet Explorer instance on Windows machines. Despite Internet Explorer being officially disabled, remnants of IE still exist on modern Windows systems, which attackers leveraged to run and execute files. Microsoft has assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability enables attackers to bypass system security controls and execute malicious code through the disabled Internet Explorer browser. In the observed attacks, it was used to deploy the Atlantida stealer malware, which focuses on stealing system information, sensitive data like passwords and cookies from various applications, including Telegram, Steam, FileZilla, cryptocurrency wallets, and web browsers (Trend Research).

Microsoft has patched this vulnerability as part of the July 2024 Patch Tuesday updates. The patch unregistered the MHTML handler from Internet Explorer, preventing the exploitation method. Users are strongly advised to apply the latest security updates to protect their systems (Trend Research).