Tech
Microsoft Windows Deadline—Why You Need To Update Your PC By July 30
For Microsoft, July will not go down as a good month on the security front. Those images of countless blue screens around the world will stick. And while the issue sits with CrowdStrike not Microsoft, appearances matter. Wall-to-wall outage headlines also make it all too easy to forget actual Windows threats lurking in the background per warnings before CrowdStrike struck. But such forgetfulness can be dangerous.
Earlier this month, before blue screens of death started trending, both CheckPoint and Trend Micro advised that Windows 10 and 11 users are now at risk from a “previously unknown” threat that cleverly wakens the Internet Explorer code buried under the covers of hundreds of millions of PCs, exploiting wide-open security holes.
As Check Point warned on July 9, “attackers are using special Windows Internet Shortcut files, which, when clicked, call the retired Internet Explorer (IE) to visit the attacker-controlled URL… By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.”
Then just days later, Trend Micro ramped up the threat level, warning that the vulnerability “was used as a zero-day to access and execute files through the disabled Internet Explorer using MSHTML… infect[ing] victim machines with the Atlantida info-stealer, which focuses on pilfering system information and sensitive data (like passwords and cookies) from various applications.”
Following Check Point’s disclosure, the US government added the vulnerability to its Known Exploit Vulnerability catalog, warning users that Windows has “a spoofing vulnerability that has a high impact to confidentiality, integrity, and availability.”
The vulnerability has been patched, users just need to ensure their Windows PCs are updated. CISA’s mandate means US federal employees must apply that update by July 30 or stop using their PCs. All other organizations—-and even home users—should follow suit given the current Windows threat landscape: per Check Point, Trend Micro and CISA, we know this vulnerability has been exploited in the wild. More alarmingly, Check Point says those attacks have been ongoing for more than 12-months.
Microsoft publicly acknowledged that the vulnerability had been exploited in its July update, telling me “we greatly appreciate [Check Point’s] Haifei Li for this research and for responsibly reporting it under a coordinated vulnerability disclosure. Customers who have installed the update are already protected.”
Check Point told me the vulnerability was “especially surprising… leveraging Internet Explorer, which many users may not realize is even on their computer… All Windows users [should] immediately apply the Microsoft patch to protect themselves.”
Ironically, CVE-2024-38112 isn’t the only Internet Explorer vulnerability to make it onto CISA’s most-dangerous list this month. CVE-2012-4792 has also just cropped up—a specific warning about a “user after free” Internet Explorer memory vulnerability despite its end-of-life status. This time around, the CISA mandate is even clearer: “The impacted product is end-of-life and should be disconnected if still in use.”
The pre-update risk for PC users is best summed by Trend Micro, which described it as “a prime example of how unsupported Windows relics are an overlooked attack surface that can still be exploited by threat actors to infect unsuspecting users with ransomware, backdoors, or as a conduit for other kinds of malware.”
The Windows outage this month—regardless of its cause—swamped the news cycle. While the CrowdStrike issue has been painful and costly, it’s not itself a cyber threat—albeit bad actors are now clearly taking advantage of the confusion. The quieter threat per CISA’s warning is exactly the opposite; you won’t know you’ve been hit until it’s too late. So, make sure you apply the update, if it isn’t installed already.