Microsoft has recently reclassified a previously addressed bug in its September Patch Tuesday update as a zero-day vulnerability. This flaw, designated as CVE-2024-43461, has been exploited by the advanced persistent threat group known as “Void Banshee” since before July. The vulnerability is categorized as a remotely exploitable platform-spoofing issue within the legacy MSHTML (Trident) browser engine, which Microsoft retains in Windows for backward compatibility.
Affects All Supported Windows Versions
This vulnerability impacts all supported versions of Windows, granting remote attackers the ability to execute arbitrary code on affected systems. However, for an exploit to be successful, an attacker must persuade a potential victim to visit a malicious webpage or click on an unsafe link.
Initially, Microsoft rated the severity of this flaw at 8.8 on the 10-point CVSS scale when it was disclosed on September 10. At that time, there was no indication that it was a zero-day vulnerability. On September 13, Microsoft revised its assessment, revealing that attackers had been actively exploiting the flaw as part of an attack chain related to CVE-2024-38112, another MSHTML platform spoofing vulnerability that was patched in July 2024. Microsoft stated, “We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain.”
To ensure full protection against exploits targeting CVE-2024-43461, Microsoft urges customers to apply patches from both the July and September 2024 updates. Following Microsoft’s update on September 13, the US Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its known exploited vulnerabilities database on September 16, setting an implementation deadline of October 7 for federal agencies to adopt the vendor’s mitigations.
CVE-2024-43461 bears similarities to CVE-2024-38112, allowing attackers to manipulate user interfaces—specifically, the browser—to display misleading data. Check Point Research, credited by Microsoft for discovering CVE-2024-38112, described the flaw as enabling adversaries to send crafted URLs or Internet shortcut files that, when clicked, would trigger Internet Explorer to open a malicious URL, even if the browser is disabled. Additionally, Check Point noted that threat actors have employed a novel tactic to disguise malicious HTML application (HTA) files as harmless PDF documents during their exploits.
Trend Micro’s Zero Day Initiative (ZDI), which also claims credit for discovering CVE-2024-38112, reported that Void Banshee has exploited this vulnerability to deploy the Atlantida malware on Windows systems. In their observations, Trend Micro noted that the threat actor lured victims with malicious files masquerading as book PDFs, distributed through Discord servers, file-sharing websites, and other channels. Void Banshee is recognized as a financially motivated threat actor, targeting organizations across North America, Southeast Asia, and Europe.
A Two-Bug Microsoft Attack Chain
According to Microsoft’s updated advisory, attackers have been utilizing CVE-2024-43461 as part of a coordinated attack chain that also involves CVE-2024-38112. Researchers at Qualys previously indicated that exploits targeting CVE-2024-38112 would be equally effective against CVE-2024-43416, given their near-identical nature. Peter Girnus, a senior threat researcher at ZDI credited for CVE-2024-43461, explained that attackers leveraged CVE-2024-38112 to navigate to an HTML landing page through Internet Explorer using the MHTML protocol handler within a .URL file. “This landing page contains an which downloads an HTA file where the HTA extension is spoofed using CVE-2024-43461 to make the file appear to be a PDF to the victim,” he elaborated.
Girnus noted that while ZDI was aware of the exploitation of CVE-2024-43461, they had initially assumed that the patch for CVE-2024-38112 had resolved the issue. “We reversed this patch to realize that the spoofing vulnerability was not fixed. We promptly alerted Microsoft,” he stated.
In their July report on Void Banshee’s exploitation of CVE-2024-38112, Trend Micro highlighted how organizations can be vulnerable due to “unsupported Windows relics” like MSHTML, leading to the potential installation of ransomware, backdoors, and other malware. The attack surface is significant; a study conducted by Sevco on 500,000 Windows 10 and Windows 11 systems revealed that over 10% lacked any endpoint protection, while nearly 9% were deficient in patch management controls, leaving them exposed to threats.
“Environmental vulnerabilities such as missing endpoint security or patch management controls on devices combined with CVE vulnerabilities compound the risk that companies will leave paths to data exposed and allow malicious actors to exploit vulnerabilities like CVE-2024-43461,” remarked Greg Fitzgerald, co-founder of Sevco. “It’s critical for enterprises to take the first step of patching this vulnerability, but it can’t stop there.”
