Windows spoofing flaw exploited in earlier zero-day attacks

Windows spoofing flaw exploited in earlier zero-day attacks

Microsoft warns that a recently patched Windows vulnerability was exploited in the wild as a zero-day prior to July 2024.

Microsoft has raised the alarm on a second Windows vulnerability that was exploited as a zero-day to execute code through the disabled Internet Explorer browser.

The flaw, tracked as CVE-2024-43461, is a high-severity issue resolved with the September 2024 Patch Tuesday updates, more than two months after being exploited in the wild.

According to Microsoft, the security defect is a spoofing bug in MSHTML (MIME encapsulation of aggregate HTML documents), the underlying platform used in IE. While the browser has been retired, the platform is still present in Windows and is used by applications in certain circumstances.

Trend Micro’s Zero Day Initiative, which was credited for reporting the bug, explains that it allows attackers to execute arbitrary code if the user visits a malicious page or opens a malicious file.

“The specific flaw exists within the way Internet Explorer prompts the user after a file is downloaded. A crafted file name can cause the true file extension to be hidden, misleading the user into believing that the file type is harmless. An attacker can leverage this vulnerability to execute code in the context of the current user,” ZDI notes in an advisory.

On Friday, the tech giant updated its advisory for CVE-2024-43461 to warn that the vulnerability was exploited in attacks prior to July 2024 along with CVE-2024-38112, another MSHTML spoofing flaw.

“CVE-2024-43461 was exploited as a part of an attack chain relating to CVE-2024-38112, prior to July 2024. We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain. Customers should install both the July 2024 and September 2024 security updates to fully protect themselves,” Microsoft notes.

According to a Trend Micro report, CVE-2024-38112 was exploited by an advanced persistent threat (APT) actor tracked as Void Banshee to execute code using the disabled IE.

The threat actor used crafted URLs that opened IE and redirected users to a compromised website hosting a malicious HTML Application (HTA) file that was executed to download a malicious payload in the background. The chain led to Atlantida stealer infections.