Windows spoofing flaw exploited in earlier zero-day attacks

Microsoft revealed that a Windows spoofing vulnerability disclosed in last week's Patch Tuesday was exploited in zero-day attacks earlier this year.

The spoofing vulnerability, tracked as CVE-2024-43461, is a high-severity flaw in Windows' MSHTML platform with a CVSS score of 8.8. The flaw, which was disclosed and mitigated in Microsoft's September Patch Tuesday, affects Internet Explorer mode in the Microsoft Edge browser.

CVE-2024-43461 was discovered and reported by Peter Girnus, senior threat hunter at Trend Micro's Zero Day Initiative. According to a ZDI advisory, the spoofing vulnerability lets a remote attacker execute code on unpatched Windows systems. "The specific flaw exists within the way Internet Explorer prompts the user after a file is downloaded. A crafted file name can cause the true file extension to be hidden, misleading the user into believing that the file type is harmless," the advisory read.

Microsoft on Friday updated its own advisory for CVE-2024-43461 and revealed that the flaw had previously been exploited in the wild as a zero-day vulnerability. "CVE-2024-43461 was exploited as a part of an attack chain relating to CVE-2024-38112, prior to July 2024. We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain," Microsoft said in the updated advisory.

CVE-2024-38112 is also a spoofing vulnerability in Windows' MSHTML platform that was disclosed and fixed in Microsoft's July Patch Tuesday. The flaw was discovered and reported to Microsoft by Haifei Li, principal vulnerability researcher at Check Point Software Technologies.

In a blog post published July 9, Li presented technical evidence that CVE-2024-38112 had been exploited as far back as January 2023. "This suggests that threat actors have been using the attacking techniques for quite some time," Li wrote in the blog post.

Several days later, a Trend Micro report co-authored by Girnus revealed that CVE-2024-38112 was exploited by an advanced persistent threat (APT) group known as Void Banshee. According to the report, Void Banshee used the zero-day flaw to deploy a new information stealer called Atlantida.

Trend Micro warned that even though Microsoft ended support for Internet Explorer in 2022, IE code is still present in Windows. That lets threat actors exploit flaws like CVE-2024-38112 despite the absence of the IE application on targeted systems.

"In this campaign, we have observed that even though users may no longer be able to access IE, threat actors can still exploit lingering Windows relics like IE on their machine to infect users and organizations with ransomware, backdoors, or as a proxy to execute other strains of malware," the report said. "The ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide."

It's unclear how CVE-2024-43461's previous exploitation was discovered. TechTarget Editorial contacted Microsoft for additional comment, but the company had not responded at press time.

Microsoft's updated advisory encouraged users to apply the July 2024 and September 2024 security updates to fully protect their systems.

Rob Wright is a longtime reporter and senior news director for TechTarget Editorial's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.