- The recently fixed CVE-2024-43461 bug has been recategorized as a zero-day vulnerability, as it was used in attacks, including a chain attack with CVE-2024-38112 (another bug) in July 2024.
- When it was initially discovered, Microsoft didn’t know it had already been exploited before it could be patched.
- The company has released patches for both bugs and has requested users to download both for fully protecting their systems against any future attacks.
Microsoft has revealed that a vulnerability it recently fixed was once again exploited before it could be patched.
The bug, identified as CVE-2024-43461, was being exploited by the “Void Banshee” threat group since July. The attacks mostly targeted organizations in North America, Southeast Asia, and Europe.
When the bug was initially discovered on September 10, the company said it had not been exploited yet. However, in an update last week (September 13), the company revealed that the bug was being exploited for at least two months prior to patching, i.e., prior to July 2024, in an attack chain related to CVE-2024-38112 (another MSHTML spoofing flaw).
The patch for CVE-2024-38112 was released in Microsoft’s July security update, which broke the chain attack. Furthermore, the patch for CVE-2024-43461 was released in September. The company has urged users to download both patches to completely secure their systems against attacks.
On September 16, the US Cybersecurity and Infrastructure Security Agency (CISA) also added the flaw to its list of known exploited vulnerabilities with a deadline of October 7 for federal agencies to implement the vendor’s mitigations for it.
Related: Microsoft June 2024 Patch Tuesday fixes 51 security flaws, including 18 RCEs
About the Bugs
CVE-2024-38112 is a nearly identical flaw. It allows the threat actor to send malicious URLs or internet shortcut files.
Clicking on it will trigger Internet Explorer to open a malicious URL, even when it’s disabled. In some cases, the attackers disguised their malicious files as harmless PDF documents when exploiting the flaw.
How Does It Work?
In a singular attack with CVE-2024-43461, the user is tricked into visiting a malicious website on Internet Explorer and clicking on a malicious link. Doing so starts the download of an infected file.
This is where the CVE-2024-43461 vulnerability comes in. Exploiting allows the threat actors to conceal the true extension type of the malicious file, making the user think that they’re downloading a harmless file.
Once that file is downloaded and the user clicks on it, the attacker is able to execute arbitrary code on affected systems.
In the chain attack, the victims were tricked into opening malicious HTML Applications (.hta) disguised as harmless PDFs. This in turn ran the info-stealing Atlantida malware on the user’s system, which would steal all their private data, including website login credentials.
Who Discovered the Vulnerabilities?
Let’s not forget to credit those who discovered these vulnerabilities. The CVE-2024-43461 was found by Peter Girnus, senior threat researcher at Trend Micro’s Zero Day Initiative (ZDI).
He said that the firm was aware that CVE-2024-43461 was being exploited but they assumed the patch for CVE-2024-38112 would fix this issue. However, later, when they reversed the patch, it was found that the bug was not fixed so they quickly alerted Microsoft.
Microsoft has given credit for discovering CVE-2024-38112 to Check Point Research. However, ZDI has also claimed credit for discovering this bug and was quite displeased with the tech giant for not acknowledging it.
Our Editorial Process
Our Editorial Process
Share
Print
