Microsoft's Security Vulnerability Exposes Long-Standing Risks
A recent development from Microsoft has cast a shadow over last week’s Patch Tuesday, revealing a security vulnerability that harkens back to the days of Internet Explorer. This long-dormant code, hidden within the operating systems of hundreds of millions of PCs, has become a target for threat actors, exposing a significant security gap that demands immediate attention.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has swiftly included CVE-2024-43461 in its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability is characterized as a user interface misrepresentation within the Microsoft Windows MSHTML Platform, enabling attackers to spoof web pages effectively. CISA has indicated that this vulnerability has been exploited in tandem with CVE-2024-38112, a threat previously reported in July.
Check Point, a cybersecurity firm, raised alarms back in July, noting that attackers have been utilizing specialized Windows Internet Shortcut files to launch URLs through Internet Explorer instead of more modern browsers like Chrome or Edge. This tactic grants attackers a distinct advantage, allowing them to exploit vulnerabilities even on systems running the latest versions of Windows 10 and 11.
CISA has set a deadline of October 7 for all Windows PCs to be updated, a directive primarily aimed at federal employees but often followed by various public and private organizations. This initiative underscores CISA’s mission to assist organizations in managing vulnerabilities and staying ahead of emerging threats.
For those who updated their systems since July, one of the two vulnerabilities in this exploit chain has already been addressed. The latest updates will patch the second vulnerability. Trend Micro’s Zero Day Initiative (ZDI) has highlighted that this vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows, typically initiated through a malicious webpage that users are tricked into visiting.
Microsoft has clarified that the MSHTML platform is utilized by Internet Explorer mode in Microsoft Edge and other applications via the WebBrowser control. To ensure comprehensive protection, the company recommends that customers installing Security Only updates also apply the Internet Explorer Cumulative updates addressing this vulnerability.
Furthermore, Microsoft has noted that CVE-2024-43461 was exploited as part of an attack chain linked to CVE-2024-38112 prior to July 2024. A fix for CVE-2024-38112 was released in July, effectively severing this attack chain. However, users who have not updated since then remain vulnerable to both threats, having overlooked the previous CISA deadline of July 30.
In addition to addressing the recent MSHTML vulnerabilities, September’s Patch Tuesday also tackled four other zero-day vulnerabilities, leading to an October 1 update deadline set by CISA. This situation mirrors recent developments with Android and Chrome, highlighting the necessity for organizations to navigate multiple CISA mandates with varying deadlines.
As previously reported, the attribution for the exploitation of MSHTML vulnerabilities has been linked to the advanced persistent threat group known as Void Banshee. This group employs tactics such as luring victims with zip archives containing malicious files disguised as book PDFs, disseminated through cloud-sharing platforms, Discord servers, and online libraries. Trend Micro warns that the capability of APT groups like Void Banshee to exploit outdated services like Internet Explorer poses a serious threat to organizations globally.
CISA continues to emphasize the importance of applying mitigations as per vendor instructions or discontinuing use of affected products if no mitigations are available. This directive underscores the urgency for users to either update their systems promptly or risk exposure to these significant threats.