Security
Headlines
HeadlinesLatestCVEs

Headline

Internet Explorer Now Retired but Still an Attacker Target

Though the once-popular browser is officially now history as far as Microsoft support goes, adversaries won’t stop attacking it, security experts say.

DARKReading
#vulnerability#web#windows#google#microsoft#rce#zero_day

Microsoft’s official end-of-support for the Internet Explorer 11 desktop application on June 15 relegated to history a browser that’s been around for almost 27 years. Even so, IE still likely will provide a juicy target for attackers.

That’s because some organizations are still using Internet Explorer (IE) despite Microsoft’s long-known plans to deprecate the technology. Microsoft meanwhile has retained the MSHTML (aka Trident) IE browser engine as part of Windows 11 until 2029, allowing organizations to run in IE mode while they transition to the Microsoft Edge browser. In other words, IE isn’t dead just yet, nor are threats to it.

Though IE has a negligible share of the browser market worldwide these days (0.52%), many enterprises still run it or have legacy applications tied to IE. This appears to be the case in countries such as Japan and Korea. Stories in Nikkei Asia and Japan Times this week quoted a survey by Keyman’s Net showing that nearly 49% of 350 Japanese companies surveyed are still using IE. Another report in South Korea’s MBN pointed to several large organizations still running IE.

“Internet Explorer has been around for over 20 years and many companies have invested in using it for many things beyond just Web browsing,” says Todd Schell, senior product manager at Ivanti. There are still enterprise applications tied closely to IE that often are running older, customized scripts on their website or have apps that may require older scripts. “For example, companies may have built extensive scripts that generate and then display reports in IE. They have not invested in updating them to use HTML 5 for Edge or other modern browsers.”

Such organizations face the sort of security issues associated with every other software technology that is no longer supported. Running IE 11 as a standalone app past its end of support date means that previously unknown — or worse yet, known but unpatched — vulnerabilities can be exploited going forward, Schell says.

“This is true for any application or operating system but has historically been an even bigger issue for browsers, which have such widespread use,” Schell says. It’s hard to say how many organizations worldwide are presently stuck using a technology that is no longer supported because they did not migrate away sooner. But judging by the fact that Microsoft will continue to support compatibility mode in Edge until 2029, IE likely remains in widespread use, he notes.

Any organization that hasn’t already should prioritize moving away from IE because of the security implications, says Claire Tills, senior research engineer at Tenable. “The end of support means that new vulnerabilities will not get security patches if they don’t meet a certain criticality threshold and, even in those rare cases, those updates will only be available to customers who have paid for Extended Security Updates,” she says.

Bugs Still Abound

Microsoft Edge has now officially replaced the Internet Explorer 11 desktop app on Windows 10. But the fact that the MSHTML engine will exist as part of the Windows operating system through 2029 means organizations are at risk of vulnerabilities in the browser engine — even if they are no longer using IE.

According to Maddie Stone, security researcher at Google’s Project Zero bug hunting team, IE has had a fair number of zero-day bugs over the past years, even as its use shrank. Last year, for example, the Project Zero team tracked four zero-days in IE — the most since 2016, when the same number of zero-days were discovered in the browser. Three of the four zero-day vulnerabilities last year (CVE-2021-26411, CVE-2021-33742, and CVE-2021-40444) targeted MSHTML and were exploited via methods other than the Web, Stone says.

“It’s not clear to me how Microsoft may or may not lock down access to MSHTML in the future,” Stone says. “But if the access stays as it is now it means that attackers can exploit vulnerabilities in MSHTML through routes such as Office documents and other file types as we saw last year” with the three MSHTML zero-days, she says. The number of zero-day exploits detected in the wild targeting IE components has been pretty consistent from 2015 to 2021 and suggests that the browser remains a popular target for attackers, Stone says.

Tenable’s Tills notes that one of the more widely exploited vulnerabilities in a Microsoft product in 2021 was in fact CVE-2021-40444, a remote code execution zero day in MSHTML. The vulnerability was exploited extensively in phishing attacks by everything from ransomware-as-a-service operators to advanced persistent threat groups.

“Given that Microsoft will continue to support MSHTML, organizations should examine the mitigations for vulnerabilities like CVE-2021-40444 and determine which they can adopt long term to reduce the risk of future vulnerabilities,” Tills notes.

The Usual Mitigations

Microsoft was not available as of this post to comment on the issue of potential risk for organizations from attacks targeting MSHTML. But Ivanti’s Schell says it is reasonable to assume that Microsoft has provided proper security and sandboxing around MSHTML when running in IE compatibility mode. He says Microsoft can monitor and provide any needed updates to MSHTML since it is a supported product and feature. The best mitigation, as always, is for organizations to keep their software, OS, and browser updated and ensure antiviral and malware detection mechanisms are up-to-date as well.

“MSHTML is now just one of many libraries that we have in Windows 11,” says Johannes Ullrich, dean of research at the SANS Institute. “Of course, it is a complex one, and one that still has a significant but somewhat reduced attack surface,” he notes. So, the best mitigation for organizations is to keep patching Windows when updates become available, he says.

“IE is still popular enough to be a worthwhile target” for attackers, Ullrich adds.

Even so, the continuing number of zero-days being discovered in IE doesn’t necessarily mean that attackers have suddenly intensified their interest in attacking it. “It may just be that it was easier to find vulnerabilities using newer tools in the old IE codebase,” Ullrich says.

Related news

Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer

An advanced persistent threat (APT) group called Void Banshee has been observed exploiting a recently disclosed security flaw in the Microsoft MHTML browser engine as a zero-day to deliver an information stealer called Atlantida. Cybersecurity firm Trend Micro, which observed the activity in mid-May 2024, the vulnerability – tracked as CVE-2024-38112 – was used as part of a multi-stage attack

Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool

Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S. "MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems," Fortinet FortiGuard

Sophisticated MATA Framework Strikes Eastern European Oil and Gas Companies

An updated version of a sophisticated backdoor framework called MATA has been used in attacks aimed at over a dozen Eastern European companies in the oil and gas sector and defense industry as part of a cyber espionage operation that took place between August 2022 and May 2023. "The actors behind the attack used spear-phishing mails to target several victims, some were infected with Windows

Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware

Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems. "LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin said. "It primarily targets Windows systems and aims to gather sensitive information from

New Attack Drops LokiBot Malware Via Malicious Macros in Word Docs

By Waqas LokiBot, a notorious Trojan active since 2015, specializes in stealing sensitive information from Windows machines, posing a significant threat to user data. This is a post from HackRead.com Read the original post: New Attack Drops LokiBot Malware Via Malicious Macros in Word Docs

Researchers Share New Insights Into RIG Exploit Kit Malware's Operations

The RIG exploit kit (EK) touched an all-time high successful exploitation rate of nearly 30% in 2022, new findings reveal. "RIG EK is a financially-motivated program that has been active since 2014," Swiss cybersecurity company PRODAFT said in an exhaustive report shared with The Hacker News. "Although it has yet to substantially change its exploits in its more recent activity, the type and

Google Warns of Internet Explorer Zero-Day Vulnerability Exploited by ScarCruft Hackers

An Internet Explorer zero-day vulnerability was actively exploited by a North Korean threat actor to target South Korean users by capitalizing on the recent Itaewon Halloween crowd crush to trick users into downloading malware. The discovery, reported by Google Threat Analysis Group researchers Benoît Sevens and Clément Lecigne, is the latest set of attacks perpetrated by ScarCruft, which is

North Korean APT37 Unleashes Dolphin Backdoor on South Korea

By Habiba Rashid The backdoor is equipped with a wide range of spying capabilities, including exfiltrating files, keylogging, and stealing browser data, etc. This is a post from HackRead.com Read the original post: North Korean APT37 Unleashes Dolphin Backdoor on South Korea

North Korea Hackers Using New "Dolphin" Backdoor to Spy on South Korean Targets

The North Korea-linked ScarCruft group has been attributed to a previously undocumented backdoor called Dolphin that the threat actor has used against targets located in its southern counterpart. "The backdoor [...] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing

Hackers Using PowerPoint Mouseover Trick to Infect System with Malware

The Russian state-sponsored threat actor known as APT28 has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware. The technique "is designed to be triggered when the user starts the presentation mode and moves the mouse," cybersecurity firm Cluster25 said in a technical report. "The code execution runs a

Vulnerability Exploits, Not Phishing, Are the Top Cyberattack Vector for Initial Compromise

A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.

Most Q2 Attacks Targeted Old Microsoft Vulnerabilities

The most heavily targeted flaw last quarter was a remote code execution vulnerability in Microsoft Office that was disclosed and patched four years ago.

RIG Exploit Kit Now Infects Victims' PCs With Dridex Instead of Raccoon Stealer

The operators behind the Rig Exploit Kit have swapped the Raccoon Stealer malware for the Dridex financial trojan as part of an ongoing campaign that commenced in January 2022. The switch in modus operandi, spotted by Romanian company Bitdefender, comes in the wake of Raccoon Stealer temporarily closing the project after one of its team members responsible for critical operations passed away in

PHDays 11: towards the Independence Era

Hello everyone! In this episode, I want to talk about the Positive Hack Days 11 conference, which took place on May 18 and 19 in Moscow. As usual, I want to express my personal opinion about this event. Alternative video link (for Russia): https://vk.com/video-149273431_456239091 As I did last year, I want to start talking about this […]

Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack

Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.

Microsoft Office MSDT Follina Proof Of Concept

Proof of concept for the remote code execution vulnerability in MSDT known as Follina.

CVE-2021-36338: DSA-2021-226: Dell EMC Unisphere for PowerMax, Dell EMC Unisphere for PowerMax vApp, Dell EMC Solutions Enabler vApp, Dell EMC Unisphere 360, Dell EMC VASA, and Dell EMC PowerMax EMB Mgmt Security Upd

Unisphere for PowerMax versions prior to 9.2.2.2 contains a privilege escalation vulnerability. An adjacent malicious user could potentially exploit this vulnerability to escalate their privileges and access functionalities they do not have access to. CVE-2022-31233 addresses the partial fix in CVE-2021-36338.

CVE-2021-40444

Microsoft MSHTML Remote Code Execution Vulnerability

DARKReading: Latest News

Apple Urgently Patches Actively Exploited Zero-Days