Microsoft recently provided an update regarding a previously disclosed vulnerability in Internet Explorer, confirming that the flaw, identified as CVE-2024-43461, was exploited as a zero-day before it could be patched. This security issue, rated 8.8 out of 10 on the CVSS severity scale, was initially described as an
Details of the Vulnerability
The vulnerability allows an attacker to obscure the true file-type extension of a downloaded file in Internet Explorer, using non-printing braille Unicode characters to mislead users into opening what appears to be a harmless file. In reality, this could execute malicious code on the user’s system. To effectively exploit this flaw, an attacker would likely need to combine it with other vulnerabilities.
This particular issue, a Windows MSHTML platform spoofing vulnerability, was reported to Microsoft by Peter Girnus from Trend Micro’s Zero Day Initiative (ZDI). According to ZDI, the flaw permits remote attackers to execute arbitrary code on affected Windows installations, requiring user interaction through visiting a malicious page or opening a harmful file.
Microsoft’s internal team, including Michael Macelletti, Naiyi Jiang, and an individual known only as “Adel,” also contributed to the discovery of CVE-2024-43461. It has since been revealed that this vulnerability was previously exploited by a malware-spreading group known as Void Banshee, which leveraged it in conjunction with another vulnerability, CVE-2024-38112, to compromise victims’ systems.
The Exploit Chain
CVE-2024-38112, which was patched in July, allowed attackers to use a specially crafted Windows Internet Shortcut file to open a specific URL in the now-retired Internet Explorer. Void Banshee exploited this vulnerability to trigger CVE-2024-43461, tricking users into executing a malicious HTML Application (.hta) file disguised as an innocuous download. This ultimately led to the deployment of the info-stealing Atlantida malware on the victims’ machines, allowing attackers to exfiltrate sensitive data, including saved website credentials.
In July, Microsoft acknowledged Haifei Li from Check Point Research for discovering CVE-2024-38112, although ZDI also asserted that it deserved recognition for its role in uncovering the flaw. The complexities surrounding these vulnerabilities highlight the collaborative nature of cybersecurity research, where multiple entities contribute to identifying and reporting threats.
Recent Developments
Fast forward to this month, ZDI disclosed the file-type spoofing flaw on July 19, with Microsoft issuing a fix on September 10. Shortly thereafter, Microsoft updated its advisory to confirm that CVE-2024-43461 had been exploited in conjunction with CVE-2024-38112 prior to the July patch.
In a statement, Microsoft noted that the patch for CVE-2024-38112 was intended to disrupt the exploit chain, urging customers to apply both the July and September updates for comprehensive protection. However, ZDI indicated that the July patch did not fully eliminate the vulnerability, necessitating the subsequent update to address the file-extension issue and the reactivation of Internet Explorer.
Dustin Childs, head of threat awareness at ZDI, expressed satisfaction with Microsoft’s acknowledgment of the file-extension-hiding bug, emphasizing the importance of accurate threat reporting for network defenders. He noted that the exploit utilized a combination of vulnerabilities, and while Microsoft believed the July patch was sufficient, it left certain attack vectors unprotected.
As the cybersecurity landscape continues to evolve, the collaboration between organizations like Microsoft, ZDI, and Check Point Research plays a crucial role in enhancing defenses against emerging threats.
