Microsoft has reclassified a bug previously addressed in its September Patch Tuesday updates as a zero-day vulnerability, acknowledging that the advanced persistent threat (APT) group Void Banshee has been exploring it since July 2024. The flaw, designated CVE-2024-43461, is a platform-spoofing vulnerability in the legacy MSHTML (Trident) browser engine, which Microsoft still includes in Windows for backward compatibility.
The flaw targets all Windows devices and allows attackers to run unauthorised code on these machines remotely. The attack vector involves deceiving users into accessing compromised websites or interacting with dangerous hyperlinks.
Microsoft publicly acknowledged the issue on September 10, assigning it a Common Vulnerability Scoring System (CVSS) rating of 8.8. However, the company did not classify it as a zero-day vulnerability at the time of initial disclosure.
“This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows,” researchers reported. “User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.”
However, on further analysis, Microsoft updated its advisory, confirming that the flaw had been actively exploited. The vulnerability was found to be part of an attack chain related to a previous MSHTML spoofing flaw, CVE-2024-38112, which had been patched in July 2024.
The revised assessment prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2024-43461 to its list of known exploited vulnerabilities. Federal agencies have been given a deadline of October 7 to apply the necessary mitigations, reports DarkReading.
Void Banshee, a financially motivated APT, has been actively targeting CVE-2024-43461 and CVE-2024-38112. Researchers have also revealed that the group leveraged the vulnerabilities to distribute the Atlantida malware through phishing campaigns that disguised malicious files as legitimate documents, such as PDFs. Victims are often targeted via Discord servers and file-sharing platforms.
Void Banshee used CVE-2024-38112 to trigger Internet Explorer — despite it being disabled on many systems — through a crafted URL. This led victims to an HTML landing page that initiated the download of a disguised HTML Application (HTA) file.
“The specific flaw exists within the way Internet Explorer prompts the user after a file is downloaded. A crafted file name can cause the true file extension to be hidden, misleading the user into believing that the file type is harmless. An attacker can leverage this vulnerability to execute code in the context of the current user,” Microsoft had already warned.
The attackers then exploited CVE-2024-43461 to make this HTA file appear as a benign PDF, further deceiving their targets.
Security researchers have highlighted the dangers posed by legacy Windows components like MSHTML, which remain in the operating system for compatibility reasons but present a large attack surface for threat actors.
Researchers have urged users and organisations to apply Microsoft’s latest patch to mitigate the flaw. “Customers should install both the July 2024 and September 2024 security updates to fully protect themselves,” Microsoft concludes.
In the News: Patched CloudImposer flaw exposed Google Cloud to RCE attacks