Microsoft confirms active exploitation of CVE-2024-43461, don't delay patching
Take action: If you have delaying patching Windows, start patching now. Another actively hacked component in Windows is enough of a reason to start updating your computers.
Learn More
Microsoft has updated its advisory to mark the Windows MSHTML spoofing vulnerability, tracked as CVE-2024-43461, as an actively exploited flaw as it's used in zero-day attacks by the Void Banshee Advanced Persistent Threat (APT) group. Initially disclosed during the September 2024 Patch Tuesday, the vulnerability was not originally marked as exploited by Microsoft but a third party researcher warned of exploitation.
CVE-2024-43461 (CVSS score 8.8) is a spoofing vulnerability in the Windows MSHTML component that allowed attackers to obscure file extensions to deceive users into opening malicious files. The exploitation involved several stages:
-
CVE-2024-38112 Exploitation: The attackers first exploited another zero-day, CVE-2024-38112 (fixed in July 2024), to manipulate Windows into opening malicious websites in Internet Explorer instead of Microsoft Edge. This was achieved through specially crafted Windows Internet Shortcut files (.url) that redirected users to attacker-controlled URLs.
-
Malicious HTA File Delivery: The redirected URLs downloaded a malicious HTML Application (HTA) file. Upon prompting the user to open this file, a script was executed to install the Atlantida info-stealer.
-
CVE-2024-43461 Exploitation: The CVE-2024-43461 vulnerability was then used to disguise the HTA file's extension by inserting 26 encoded braille whitespace characters (%E2%A0%80) in the filename. This caused the file to appear as a PDF, making users more likely to open it. When Windows attempted to open the file, these whitespace characters obscured the actual .hta extension, increasing the success rate of the attack.
Microsoft released a patch for CVE-2024-43461 in September 2024. After applying the patch, Windows no longer strips the whitespace characters, and the actual .hta extension is displayed in prompts. However, the fix is not entirely foolproof, as the presence of whitespace may still mislead users into thinking the file is a PDF rather than an HTA file.
