A vulnerability, identified as CVE-2024-38112, has been detected that allows attackers to execute remote code by tricking users into opening malicious Internet Shortcut (.url) files. This method has been active for over a year and has the potential to affect millions of users. The exploit involves tricking users into clicking on .url files that unexpectedly force Internet Explorer to navigate to a harmful URL. The attackers use a sophisticated trick to mask the malicious .hta extension, exploiting the outdated security of Internet Explorer to compromise systems running updated Windows operating systems.

Historically, .url files have been a common vector for initiating attacks. Recent vulnerabilities like CVE-2023-36025, which was patched last November, utilized similar tactics. Despite Microsoft’s transition from Internet Explorer to the more secure Edge browser, this exploit targets the remaining users of Internet Explorer. The attack works by deceiving victims into thinking they are opening a PDF, while actually connecting them to an attacker-controlled website via Internet Explorer.

This allows the attackers to employ further deceptive methods to execute malicious code. To protect against this threat, it is essential to always be cautious about what you are clicking on and ensure that Windows is fully up to date.