Hackers Exploited Windows Spoofing Vulnerability in Zero-Day Attacks

Published: Sep 18, 2024

Security

SHARE ARTICLE

Key Takeaways:

  • A newly disclosed Windows Spoofing vulnerability (CVE-2024-43461) was exploited in zero-day attacks before being patched in September 2024.
  • The flaw allows remote code execution by tricking users into downloading malicious files, targeting Internet Explorer mode within Microsoft Edge.
  • Microsoft urges users to apply both the July and September 2024 security updates to protect Windows systems from further attacks.

Microsoft has disclosed a new Windows spoofing vulnerability that was addressed in the September 2024 Patch Tuesday updates. The company warned that cybercriminals had already exploited this flaw in zero-day attacks earlier in the year.

The vulnerability, tracked as CVE-2024-43461, is a spoofing flaw in the Windows MSHTML platform with a CVSS score of 8.8. It specifically impacts Internet Explorer mode in the Microsoft Edge browser. This bug was discovered and reported by Peter Girnus from Trend Micro’s Zero Day Initiative (ZDI) on July 19, and it allows remote attackers to execute code on unpatched Windows systems. However, for the attack to succeed, hackers must trick victims into visiting a malicious website or opening a harmful file.

“The specific flaw exists within the way Internet Explorer prompts the user after a file is downloaded. A crafted file name can cause the true file extension to be hidden, misleading the user into believing that the file type is harmless. An attacker can leverage this vulnerability to execute code in the context of the current user,” the Zero Day Initiative explained.

How does the attack chain work?

Microsoft initially disclosed the CVE-2024-43461 security flaw on September 10. At that time, the company said that the vulnerability was not being actively exploited in the wild. However, it was later discovered that the advanced persistent threat (APT) group Void Banshee had exploited the flaw, along with another MSHTML spoofing vulnerability (CVE-2024-38112), to target Windows devices.

Void Banshee exploited the zero-day flaw to launch Internet Explorer and take advantage of CVE-2024-43461, tricking users into opening a malicious HTML Application (.hta). This allowed the hackers to deploy the Atlantida malware, designed to steal information from Windows systems.

Microsoft released the July Patch Tuesday updates to fix the CVE-2024-43461 vulnerability and disrupt the attack chain. The company urges customers to install both the July and September 2024 security updates to fully protect their Windows systems against sophisticated threats.

SHARE ARTICLE