A nasty new surprise from Microsoft has just provided a sting in the tail to last week's Patch Tuesday. Just as we saw in July, threat actors have exploited long-forgotten Internet Explorer code lurking inside hundreds of millions of PCs to execute attacks. Buried though that code might be, it has exposed a gaping security-hole.
The U.S. government's cybersecurity agency wasted little time adding CVE-2024-43461 to its Known Exploited Vulnerabilities (KEV) catalog, warning that "Microsoft Windows MSHTML Platform contains a user interface (UI) misrepresentation of critical information vulnerability that allows an attacker to spoof a web page."
CISA adds that CVE-2024-43461 has been exploited "in conjunction with CVE-2024-38112," which is the threat I reported back in July. Raising alarm bells at that time, Check Point warned that attackers are using "special Windows Internet Shortcut files" to open URLs with IE instead of Chrome or Edge. Doing so means "the attacker gains significant advantages in exploiting the victim's computer, [despite] the computer running the modern Windows 10/11 operating system."
CISA has mandated Windows PCs be updated by October 7, which is three weeks from now. As ever, the formal mandate applies to federal employees, but many other public and private organizations follow CISA's mandates, given its remit "to help every organization better manage vulnerabilities and keep pace with threat activity."
Clearly, any PCs updated from July onwards will have addressed one of the two vulnerabilities in the chain, the latest update patches the second. Trend Micro's ZDI, which disclosed the second threat warns that it "allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows," which triggers an attack by way of a malicious webpage that a user is tricked into visiting.
Microsoft explains that "the MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control... To stay fully protected, we recommend that customers who install Security Only updates install the IE Cumulative updates for this vulnerability."
The company now advises "that CVE-2024-43461 was exploited as a part of an attack chain relating to CVE-2024-38112, prior to July 2024. We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain."
Users that have not updated since have not patched CVE-2024-38112 and remain at risk. They have also ignored the prior CISA deadline, which was July 30. In addition to patching the more recent of these MSHTML vulnerabilities, September's Patch Tuesday addresses four other zero-days which prompted an October 1 CISA update deadline. Just as we've recently seen with Android and Chrome, we now have parallel CISA mandates running with different deadlines. Process is process, after all.
As I also reported in July, the attribution for the MSHTML exploitation came from Trend Micro. "Void Banshee," is says," lures in victims using zip archives containing malicious files disguised as book PDFs; these are disseminated in cloud-sharing websites, Discord servers, and online libraries, among others." Void Banshee is an advanced persistent threat group working across the US, Asia and Europe.
Trend Micro warns that "the ability of APT groups like Void Banshee to exploit disabled services such as IE poses a significant threat to organizations worldwide," which is why if you didn't follow CISA's first MSHTML update mandate you certainly should do so this time around.
As usual, CISA says that users must "apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable," which means update or power down your Windows PCs. This level of severity is interesting when set against the backdrop of the Windows 10 to Windows 11 forced migration, which has painted an alarming picture of millions of non-compliant Windows PCs running off support.
Needless to say, that's not an especially clever place to be.
Check Point describes the MSHTML exploit as "especially surprising... leveraging Internet Explorer, which many users may not realize is even on their computer... all users [should] immediately apply the Microsoft patch to protect themselves."