Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Says Recent Windows Vulnerability Exploited as Zero-Day

Microsoft warns that a recently patched Windows vulnerability was exploited in the wild as a zero-day prior to July 2024.

Microsoft has raised the alarm on a second Windows vulnerability that was exploited as a zero-day to execute code through the disabled Internet Explorer browser.

The flaw, tracked as CVE-2024-43461, is a high-severity issue resolved with the September 2024 Patch Tuesday updates, more than two months after being exploited in the wild.

According to Microsoft, the security defect is a spoofing bug in MSHTML (MIME encapsulation of aggregate HTML documents), the underlying platform used in IE. While the browser has been retired, the platform is still present in Windows and is used by applications in certain circumstances.

Trend Micro’s Zero Day Initiative, which was credited for reporting the bug, explains that it allows attackers to execute arbitrary code if the user visits a malicious page or opens a malicious file.

“The specific flaw exists within the way Internet Explorer prompts the user after a file is downloaded. A crafted file name can cause the true file extension to be hidden, misleading the user into believing that the file type is harmless. An attacker can leverage this vulnerability to execute code in the context of the current user,” ZDI notes in an advisory.

On Friday, the tech giant updated its advisory for CVE-2024-43461 to warn that the vulnerability was exploited in attacks prior to July 2024 along with CVE-2024-38112, another MSHTML spoofing flaw.

“CVE-2024-43461 was exploited as a part of an attack chain relating to CVE-2024-38112, prior to July 2024. We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain. Customers should install both the July 2024 and September 2024 security updates to fully protect themselves,” Microsoft notes.

According to a Trend Micro report, CVE-2024-38112 was exploited by an advanced persistent threat (APT) actor tracked as Void Banshee to execute code using the disabled IE.

Advertisement. Scroll to continue reading.

The threat actor used crafted URLs that opened IE and redirected users to a compromised website hosting a malicious HTML Application (HTA) file that was executed to download a malicious payload in the background. The chain led to Atlantida stealer infections.

Related: Microsoft Tackling Windows Logfile Flaws With New HMAC-Based Security Mitigation

Related: Windows Hello Fingerprint Authentication Bypassed on Popular Laptops

Related: Microsoft Reclassifies Windows Flaw After IBM Researcher Proves Remote Code Execution

Related: Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.