This past fortnight has been particularly eventful for users of Microsoft Windows, marked by the rollout of the 24H2 update, the revival of Recall, the discontinuation of yet another workaround for Windows 11 upgrades, and the latest incident involving the infamous blue screen of death. Amidst these developments, it’s easy for users to overlook the impending update deadline, which is now just 72 hours away. This deadline is crucial for safeguarding against a “critical vulnerability” that has recently come under attack.
Critical Vulnerability Alert
The vulnerability in question is identified as CVE-2024-43461, which emerged as an unwelcome addition to Microsoft’s September security update. This alert echoes a similar warning issued back in July and has prompted the U.S. government’s cybersecurity agency to include it in its Known Exploited Vulnerabilities (KEV) catalog. According to the Cybersecurity and Infrastructure Security Agency (CISA), “Microsoft Windows MSHTML Platform contains a user interface (UI) misrepresentation of critical information vulnerability that allows an attacker to spoof a web page.” CISA further notes that this vulnerability was exploited in conjunction with CVE-2024-38112.
CISA has mandated that Windows users apply necessary mitigations by October 7. While this requirement is mandatory for federal employees, many public and private organizations tend to follow suit. CISA’s mission is to assist organizations in effectively managing vulnerabilities and keeping pace with evolving threat landscapes, particularly in high-profile sectors.
Security concerns are heightened at present, with the recent CrowdStrike incident fresh in the minds of many, alongside ongoing tensions in the Middle East and Eastern Europe. These geopolitical factors have raised alert levels and the potential for offensive cyber activities targeting critical infrastructure.
In July, I reported on CVE-2024-38112, during which Check Point highlighted that attackers had been exploiting “special Windows Internet Shortcut files” to redirect users to malicious URLs via the outdated Internet Explorer, rather than more modern browsers like Edge or Chrome. They cautioned that “the attacker gains significant advantages in exploiting the victim’s computer,” even if it is running the latest Windows 10 or 11 operating systems.
Trend Micro’s Zero Day Initiative (ZDI) has flagged the latest CVE, stating that it “allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows.” Users may find themselves lured into visiting a rogue webpage designed to facilitate the attack.
These two vulnerabilities have been exploited in tandem, with patching the first also addressing the second. However, in a landscape where nearly a billion users remain resistant to upgrading to Windows 11, it remains uncertain whether their PCs have been updated since the initial warning. If they haven’t, these systems are at significant risk. For those hesitating to transition to Windows 11, this situation serves as a stark reminder of the dangers of remaining on unsupported versions, illustrating that inaction is not a viable option.
