Windows Vulnerability CVE-2024-43461 Reclassified as Previously Exploited

Apps & Games / Close All Windows / Desktop / Windows / News Close All Windows for Desktop Windows / Windows Vulnerability CVE-2024-43461 Reclassified as Previously Exploited
18 Sep 2024

A recently addressed vulnerability in Windows, known as the "MSHTML spoofing vulnerability" and tracked under CVE-2024-43461, has been reclassified as previously exploited following its use in attacks orchestrated by the Void Banshee APT hacking group. Initially disclosed during the September 2024 Patch Tuesday, Microsoft did not label the vulnerability as previously exploited at that time. However, a recent update to the CVE-2024-43461 advisory has confirmed its exploitation prior to the fix.

The flaw was uncovered by Peter Girnus, a Senior Threat Researcher at Trend Micro's Zero Day initiative. In comments to BleepingComputer, Girnus indicated that the CVE-2024-43461 vulnerability was leveraged in zero-day attacks by Void Banshee to deploy information-stealing malware. This APT group, first identified by Trend Micro, targets organizations across North America, Europe, and Southeast Asia, aiming to extract sensitive data for financial gain.

The CVE-2024-43461 Zero-Day

In July, both Check Point Research and Trend Micro reported on attacks that exploited Windows zero-days to compromise devices with the Atlantida info-stealer, a tool designed to pilfer passwords, authentication cookies, and cryptocurrency wallets from affected systems. These attacks utilized two zero-days: CVE-2024-38112, which was patched in July, and CVE-2024-43461, which received a fix this month, forming part of a broader attack chain.

The discovery of CVE-2024-38112 was credited to Check Point researcher Haifei Li, who explained that it was exploited to manipulate Windows into opening malicious websites in Internet Explorer instead of Microsoft Edge when specially crafted shortcut files were launched. "Specifically, the attackers used special Windows Internet Shortcut files (.url extension), which, when clicked, would invoke the retired Internet Explorer (IE) to navigate to an attacker-controlled URL," Li detailed in a July report.

These URLs facilitated the download of a malicious HTA file, prompting users to open it. Upon opening, a script would execute, leading to the installation of the Atlantida info-stealer. The HTA files cleverly employed the CVE-2024-43461 zero-day to obscure their true extension, presenting themselves as PDFs during the Windows prompt, thereby increasing the likelihood of user engagement.

Girnus elaborated on the exploitation, noting that the CVE-2024-43461 flaw enabled the creation of a CWE-451 condition through HTA file names that incorporated 26 encoded braille whitespace characters (%E2%A0%80), effectively concealing the .hta extension. The file name would appear as a PDF but included these braille characters followed by the .hta extension, as illustrated below:

Books_A0UJKO.pdf%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80%E2%A0%80.hta

When Windows attempted to open this file, the braille whitespace characters pushed the HTA extension out of the visible interface, leaving only a '...' string in the prompts. This clever manipulation made the HTA files appear as benign PDF files, thus increasing the chances of users inadvertently executing them.

Following the installation of the security update for CVE-2024-43461, Girnus noted that while the whitespace is no longer stripped, Windows now accurately displays the .hta extension in prompts.

Security update now shows HTA extensionSource: Peter Girnus

However, this fix is not...

How to set up remote desktop on windows 11 pro?

To set up Remote Desktop on Windows 11 Pro, follow these steps: 1) Go to Settings > System > Remote Desktop. 2) Set 'Enable Remote Desktop' to 'On' and confirm any prompts. 3) Note the PC name under 'PC name'. 4) On the remote device, open the Remote Desktop app and enter the PC name. 5) Click 'Connect' and enter your user credentials. Ensure both devices are connected to the internet and the remote connection is allowed through the firewall.

How to crop a video on windows 10?

To crop a video on Windows 10, you can use the built-in Photos app. Follow these steps: 1) Open the Photos app and import your video. 2) Click 'Edit & Create' and select 'Trim'. 3) Adjust the sliders to select the portion of the video you want to keep. 4) Click 'Save a copy' to save the cropped video. For more advanced cropping, consider using third-party software like Adobe Premiere Pro or free alternatives like Shotcut.
Update: 18 Sep 2024
Close All Windows

Close All Windows download for free to PC or mobile

4
556 reviews
3110 downloads

News and reviews about Close All Windows

Loading...