Attackers have been using the Windows MSHTML Platform spoofing vulnerability in conjunction with another zero-day flaw.
Microsoft has recategorized a bug that the company fixed in this months Patch Tuesday update as a zero-day vulnerability, which the Void Banshee advanced persistent threat group has been exploiting since before July. The bug, identified as CVE-2024-43461 , is a remotely exploitable platform-spoofing vulnerability in the legacy MSHTML (Trident) browser engine that Microsoft continues to include in Windows for backward compatibility purposes, and its one of two very similar issues that Void Banshee is using in its attacks. The vulnerability affects all supported versions of Windows and gives remote attackers a way to execute arbitrary code on affected systems. An attacker, however, would need to convince a potential victim to visit a malicious Web page or to click on an unsafe link for any exploit to work. Microsoft assigned the flaw a severity rating of 8.8 on the 10-point CVSS scale when it initially disclosed the bug on Sept. 10. At that time, the companys advisory made no mention of the vulnerability being a zero-day bug. Microsoft revised that assessment on Sept. 13 to indicate attackers had, in fact, actively been exploiting the flaw as part of an attack chain [related] to CVE-2024-38112, a MSHTML platform spoofing vulnerability that the company patched in July 2024. We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain, Microsoft said in its updated advisory. The company wants customers to apply its patches from both the July 2024 update and the September 2024 update to fully protect themselves against exploits targeting CVE-2024-43461. Following Microsofts Sept. 13 update, the US Cybersecurity and Infrastructure Security Agency (CISA) on Sept. 16 added the flaw to its known exploited vulnerabilities database with a deadline of Oct. 7 for federal agencies to implement the vendors mitigations for it. CVE-2024-43461 is similar to CVE-2024-38112 in that it allows an attacker to cause a user-interface — in this case, the browser — to display erroneous data. Check Point Research , which Microsoft has credited with discovering CVE-2024-38112, has described the flaw as allowing an adversary to send a crafted URL or Internet shortcut file that when clicked would trigger Internet Explorer — even when disabled — to open a malicious URL. Check Point said it had observed threat actors also use a separate novel trick for dressing up malicious HTML application (HTA) files as innocuous-looking PDF documents when exploiting the flaw. Trend Micros Zero Day Initiative (ZDI), which has also claimed credit for discovering CVE-2024-38112 — and has a beef with Microsoft for not acknowledging them — later reported Void Banshee as exploiting the vulnerability to drop the Atlantida malware on Windows systems. In the attacks that Trend Micro observed, the threat actor lured victims using malicious files spoofed as book PDFs that they distributed via Discord servers, file-sharing websites and other vectors. Void Banshee is a financially motivated threat actor that researchers have observed targeting organizations in North America, Southeast Asia, and Europe. According to Microsofts updated advisory, it turns out that attackers have been using CVE-2024-43461 as part of an attack chain also involving CVE-2024-38112. Researchers at Qualys previously noted that exploits against CVE-2024-38112 would work equally well for CVE-2024-43416, because both are near-identical flaws. Peter Girnus, senior threat researcher at ZDI who Microsoft has credited for CVE-2024-43461, says the attackers used CVE-2024-38112 to navigate to an HTML landing page through Internet Explorer using the MHTML protocol handler inside of a .URL file. This landing page contains an