Microsoft disclosed that a Windows spoofing vulnerability, known as CVE-2024-43461, was exploited in zero-day attacks earlier this year, as reported last week during Patch Tuesday. This high-severity flaw in Windows’ MSHTML platform, with a CVSS score of 8.8, affects the Internet Explorer mode in the Microsoft Edge browser. The flaw was identified and reported by Peter Girnus, a senior threat hunter at Trend Micro’s Zero Day Initiative (ZDI).
According to the ZDI advisory, the CVE-2024-43461 vulnerability allows remote attackers to execute code on unpatched Windows systems by manipulating file extensions to deceive users into thinking the file type is harmless. Microsoft updated its advisory for the vulnerability and confirmed that it had been exploited in the wild as a zero-day vulnerability before being mitigated in the September Patch Tuesday update. The attack chain related to CVE-2024-38112 was broken by Microsoft’s fix in July 2024.
CVE-2024-38112, another spoofing vulnerability in Windows’ MSHTML platform, was disclosed and fixed in Microsoft’s July Patch Tuesday. This flaw, reported by Haifei Li from Check Point Software Technologies, was found to have been exploited as early as January 2023, indicating that threat actors have been utilizing these techniques for an extended period.
A Trend Micro report, co-authored by Peter Girnus, identified an advanced persistent threat group named Void Banshee that exploited CVE-2024-38112 to deploy a new information stealer called Atlantida. The report warned that despite Microsoft ending support for Internet Explorer in 2022, remnants of IE code in Windows still pose a security risk, allowing for exploitation of vulnerabilities like CVE-2024-38112.
Even though users may no longer have access to Internet Explorer, threat actors can leverage remaining Windows artifacts to infect systems with various malware strains, posing significant risks to organizations worldwide. Microsoft’s updated advisory urges users to install the July 2024 and September 2024 security updates to safeguard their systems against these vulnerabilities.
The circumstances surrounding the discovery of CVE-2024-43461’s previous exploitation remain unclear. TechTarget Editorial reached out to Microsoft for further insight, but the company had not responded at the time of publication. Rob Wright, a seasoned reporter and senior news director for TechTarget Editorial’s security team, leads coverage of breaking infosec news and trends. Readers with tips are encouraged to email him for more information.