Windows spoofing flaw exploited in earlier zero-day attacks

Microsoft warns that attackers exploited a recently patched Windows spoofing vulnerability as a zero-day before July 2024.

The company also raised concerns about another zero-day exploit that executed code through the disabled Internet Explorer browser.

Details of the Exploit

The flaw, CVE-2024-43461, is a high-severity issue. Microsoft fixed it in September 2024 Patch Tuesday updates, two months after attackers used it in the wild.

Microsoft identified the security bug as a spoofing issue in MSHTML. This platform, used in Internet Explorer, remains in Windows for certain applications despite the browser’s retirement.

Trend Micro’s Zero Day Initiative reported the bug. Attackers could execute arbitrary code when users visited a malicious page or opened a dangerous file.

How the Exploit Works

ZDI explains that the flaw manipulates how Internet Explorer prompts users after a file download. Attackers craft file names to hide true extensions. This trick misleads users into opening harmful files. Once executed, the file runs code in the current user’s context.

🕵️ Who Was Behind the Attack?

According to Trend Micro, the APT group “Void Banshee” exploited this attack chain to deliver the Atlantida stealer malware. They used specially crafted URLs to silently trigger Internet Explorer, redirect users to compromised websites, and deploy HTA-based payloads.

Such attacks compromise endpoint visibility and highlight the need for advanced Windows endpoint management tools and remote desktop management solutions.

🛡️ How to Stay Safe from Windows Boot Errors and Exploits

To protect your devices against this and similar attacks:

• ✅ Install both July and September 2024 Windows updates immediately.
• ⛔ Disable Internet Explorer using Group Policy or via system settings.
• ❌ Avoid opening unknown HTA files and links from unverified sources.
• ⚙ Implement a reliable Windows system restore tool like RestoreX Lite (1 PC, 1 Year) to recover clean boot environments.
• 🛡️ Strengthen endpoint defenses with RestoreX Endpoint Lifetime or our scalable RestoreX Endpoint Ranges for teams.

🌟 Why RestoreX 360 Is Essential for Modern PC Protection

RestoreX 360 offers a comprehensive suite of tools to fix Windows boot error fix scenarios, assist with Windows boot repair, and provide remote PC repair tools for individuals and IT teams. Our RestoreX Pro (1 PC, 3 Year) and RestoreX Premium (1 PC, Lifetime) editions are built for sustained use across evolving IT landscapes.

Microsoft’s Response

On Friday, Microsoft updated its CVE-2024-43461 advisory. The company confirmed that attackers exploited the vulnerability before July 2024 along with CVE-2024-38112, another MSHTML Windows spoofing flaw.

Microsoft stated

“CVE-2024-43461 was part of an attack chain with CVE-2024-38112 before July 2024. We patched CVE-2024-38112 in July, which disrupted this chain. To stay protected, users should install both July and September 2024 updates.”

APT Group Behind the Attack

According to Trend Micro, an advanced persistent threat (APT) group known as Void Banshee exploited CVE-2024-38112 to run code using the disabled Internet Explorer.

The attackers used crafted URLs to open IE and redirect victims to a compromised website. This site hosted a malicious HTML Application (HTA) file, which silently downloaded malware in the background. The final payload led to Atlantida stealer infections.

How to Stay Safe

To protect against these attacks:

Install both July and September 2024 security updates immediately.

Avoid opening unknown HTA files or suspicious links.

Use modern browsers and disable legacy components when possible.

These vulnerabilities highlight the dangers of outdated technologies in Windows. Regular updates remain the best defense.