Microsoft has confirmed that a recently patched Windows vulnerability, tracked as CVE-2024-43461, was exploited in the wild as a zero-day before being fixed in July 2024. The flaw is a high-severity spoofing bug in MSHTML, the underlying platform used in Internet Explorer. According to Trend Micro’s Zero Day Initiative, the vulnerability allows attackers to execute arbitrary code if the user visits a malicious page or opens a malicious file.
A crafted file name can hide the true file extension, misleading the user into believing the file type is harmless. An attacker can use this to execute code in the context of the current user. Microsoft updated its advisory for CVE-2024-43461 to warn that the vulnerability was exploited along with CVE-2024-38112, another MSHTML spoofing flaw, prior to July 2024.
“CVE-2024-43461 was exploited as a part of an attack chain relating to CVE-2024-38112, prior to July 2024.
Spoofing flaw in Internet Explorer
We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain.
Customers should install both the July 2024 and September 2024 security updates to fully protect themselves,” Microsoft noted. Trend Micro reports that CVE-2024-38112 was exploited by an advanced persistent threat actor tracked as Void Banshee. The threat actor used crafted URLs that opened IE and redirected users to a compromised website hosting a malicious HTML Application file, which was executed to download a malicious payload in the background.
This attack chain led to Atlantida stealer infections. Microsoft addressed the CVE-2024-43461 vulnerability in the September 2024 Patch Tuesday updates. Users are advised to apply both the July and September 2024 security updates to be fully protected against this exploit chain.
