Pierluigi Paganini
September 16, 2024
Microsoft warns that attackers actively exploited the Windows vulnerability CVE-2024-43461 as a zero-day before July 2024.
The vulnerability CVE-2024-43461 is a Windows MSHTML platform spoofing issue. MSHTML is a platform used by Internet Explorer. Although the browser has been retired, MSHTML remains in Windows and is still used by certain applications.
The ZDI Threat Hunting team discovered a new exploit similar to a previously patched July vulnerability tracked as CVE-2024-38112.
“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” reads the advisory published by ZDI. “The specific flaw exists within the way Internet Explorer prompts the user after a file is downloaded. A crafted file name can cause the true file extension to be hidden, misleading the user into believing that the file type is harmless. An attacker can leverage this vulnerability to execute code in the context of the current user.”
Despite reporting it to Microsoft in June, threat actors quickly devised a method to bypass the patch. Though actively used, Microsoft hasn’t labeled it as under attack. The flaw impacts all supported Windows versions.
“Yes. CVE-2024-43461 was exploited as a part of an attack chain relating to CVE-2024-38112, prior to July 2024.” reads the advisory published by Microsoft. “We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain. See [CVE-2024-38112 – Security Update Guide – Microsoft – Windows MSHTML Platform Spoofing Vulnerability[(https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38112). Customers should both the July 2024 and September 2024 security update to fully protect themselves.”
Patch Tuesday security updates for September 2024 addressed the CVE-2024-43461 vulnerability.
In July, Trend Micro reported that an APT group tracked as Void Banshee was spotted exploiting the Windows zero-day CVE-2024-38112 (CVSS score of 7.5) to execute code through the disabled Internet Explorer. An attacker can trigger the issue by sending the victim a malicious file that the victim would have to execute. Trend Micro researchers discovered that the flaw was actively exploited in the wild in May.
Void Banshee was observed exploiting the CVE-2024-38112 flaw to drop the Atlantida info-stealer on the victims’ machines. The malware allows operators to gather system information and steal sensitive data, such as passwords and cookies, from multiple applications.
In the group’s attack chain, Void Banshee attempts to trick victims into opening zip archives containing malicious files disguised as book PDFs. The archives are disseminated in cloud-sharing websites, Discord servers, and online libraries, and other means. The APT group focuses on North America, Europe, and Southeast Asia.
“This zero-day attack is a prime example of how unsupported Windows relics are an overlooked attack surface that can still be exploited by threat actors to infect unsuspecting users with ransomware, backdoors, or as a conduit for other kinds of malware.” states Trend Micro.
Void Banshee exploited the disabled Internet Explorer process to run HTML Application (HTA) files using specially crafted .URL files with the MHTML protocol handler and the x-usc! directive. This technique resembles the exploitation of CVE-2021-40444, another MSHTML flaw that was exploited in zero-day attacks. The experts warn that this attack method is very concerning because Internet Explorer no longer receives updates or security fixes.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Windows)
