Microsoft warns that attackers exploited a recently patched Windows spoofing vulnerability as a zero-day before July 2024.
The company also raised concerns about another zero-day exploit that executed code through the disabled Internet Explorer browser.
Details of the Exploit
The flaw, CVE-2024-43461, is a high-severity issue. Microsoft fixed it in September 2024 Patch Tuesday updates, two months after attackers used it in the wild.
Microsoft identified the security bug as a spoofing issue in MSHTML. This platform, used in Internet Explorer, remains in Windows for certain applications despite the browser’s retirement.
Trend Micro’s Zero Day Initiative reported the bug. Attackers could execute arbitrary code when users visited a malicious page or opened a dangerous file.
How the Exploit Works
ZDI explains that the flaw manipulates how Internet Explorer prompts users after a file download. Attackers craft file names to hide true extensions. This trick misleads users into opening harmful files. Once executed, the file runs code in the current user’s context.
Microsoft’s Response
On Friday, Microsoft updated its CVE-2024-43461 advisory. The company confirmed that attackers exploited the vulnerability before July 2024 along with CVE-2024-38112, another MSHTML Windows spoofing flaw.
Microsoft stated:
“CVE-2024-43461 was part of an attack chain with CVE-2024-38112 before July 2024. We patched CVE-2024-38112 in July, which disrupted this chain. To stay protected, users should install both July and September 2024 updates.”
APT Group Behind the Attack
According to Trend Micro, an advanced persistent threat (APT) group known as Void Banshee exploited CVE-2024-38112 to run code using the disabled Internet Explorer.
The attackers used crafted URLs to open IE and redirect victims to a compromised website. This site hosted a malicious HTML Application (HTA) file, which silently downloaded malware in the background. The final payload led to Atlantida stealer infections.
How to Stay Safe
To protect against these attacks:
Install both July and September 2024 security updates immediately.
Avoid opening unknown HTA files or suspicious links.
Use modern browsers and disable legacy components when possible.
These vulnerabilities highlight the dangers of outdated technologies in Windows. Regular updates remain the best defense.