Two Internet Explorer vulnerabilities, CVE-2024-43461 and CVE-2024-38112, were exploited in the wild as zero-day attacks

Microsoft has confirmed that two Internet Explorer vulnerabilities, CVE-2024-43461 and CVE-2024-38112, were exploited in the wild as zero-day attacks. The company’s acknowledgment underscores the critical nature of these vulnerabilities and the importance of timely patching.

CVE-2024-43461: A Windows MSHTML platform spoofing vulnerability

CVE-2024-43461 is a Windows MSHTML platform spoofing vulnerability that allows remote attackers to execute arbitrary code on affected installations of Windows. This vulnerability exists within the way Internet Explorer prompts the user after a file is downloaded. A crafted file name can cause the true file extension to be hidden, misleading the user into believing that the file type is harmless. An attacker can leverage this vulnerability to execute code in the context of the current user.

The @thezdi threat hunting team reported CVE-2024-38112 (MHTML handler inside of .URL files) and CVE-2024-43461 (File Extension Spoofing) to @msftsecresponse. Both are fixed!https://t.co/aktG5ALEw9

— Peter Girnus (@gothburz) September 16, 2024

The vulnerability was discovered by Peter Girnus at Trend Micro’s Zero Day Initiative (ZDI) and was initially reported to Microsoft in June. However, threat actors quickly devised a method to bypass the patch, and it was actively exploited in the wild before being fixed in the September 2024 Patch Tuesday updates.

CVE-2024-38112: A longstanding zero-day vulnerability

CVE-2024-38112, another MSHTML platform spoofing vulnerability, was exploited for at least a year before it was fixed in July 2024. This vulnerability was used by the advanced persistent threat (APT) group Void Banshee to target organizations in North America, Europe, and Southeast Asia for information theft and financial gain.

Void Banshee exploited CVE-2024-38112 to force Windows to open malicious websites in Internet Explorer rather than Microsoft Edge when launching specially crafted shortcut files. The attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL. These URLs were used to download a malicious HTA file and prompt the user to open it, leading to the installation of the Atlantida info-stealer.

Attack chain and exploitation techniques

The attack chain involving CVE-2024-43461 and CVE-2024-38112 demonstrates the sophistication of modern cyber threats. By combining these vulnerabilities, attackers could create a CWE-451 condition, UI misrepresentation of critical information, to hide the HTA file extension and make it appear as a PDF when Windows prompted users to open it. This technique, which used 26 encoded braille whitespace characters (%E2%A0%80) to hide the .hta extension, was particularly concerning as it exploited the legacy Internet Explorer engine, which no longer receives updates or security fixes.

Patching

It is critical to apply both the July 2024 and September 2024 security updates to fully protect against these vulnerabilities. The company’s advisory notes that the fix for CVE-2024-38112 in the July 2024 security updates broke the attack chain, and the September 2024 updates addressed CVE-2024-43461, ensuring that Windows shows the actual .hta extension and alerts users against malicious downloads.