Windows MSHTML vulnerability actively exploited
CISA has added another MSHTML vulnerability rooted in Internet Explorer to its known exploited vulnerabilities catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-43461, a vulnerability in Windows MSHTML, to its known exploited vulnerabilities catalog. This requires Federal Civilian Executive Branch (FCEB) agencies to remediate the vulnerability by October 7, 2024.
A fix for the flaw was included in the September 2024 patch Tuesday, but at that time it wasn’t counted among the four zero-days that were patched as well, because Microsoft assumed that the vulnerability was only used in an attack chain with another MSHTML vulnerability, CVE-2024-38112, which was fixed in the July Patch Tuesday.
CVE-2024-43461 is a Windows MSHTML platform spoofing vulnerability, and another serious flaw that stems from the continued use of components of the—officially retired—Internet Explorer 11. Microsoft writes:
While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported.
Retaining fragments of Internet Explorer means that the outdated browser can still be invoked and leveraged for malicious purposes.
The MSHTML vulnerabilities were used by an APT group called Void Banshee to deploy malicious HTML Application (HTA) files camouflaged as PDF documents, which were able to hide their true file extension due to the way Internet Explorer prompts users after a file is downloaded.
An HTA file is an application that combines an HTML interface with programming logic in a scripting language supported by Internet Explorer, such as VBScript or JScript. As a fully trusted application, HTA files have more enhanced privileges than HTML files.
The HTA files were used to spread the Atlantida information stealer, which can steal passwords, authentication cookies, and cryptocurrency wallets from infected devices.
Successful exploitation requires an attacker to get a target to open a malicious file or visit a malicious website, but cybercriminals are well practiced at doing both.
Void Banshee is known for targeting organizations across North America, Europe, and Southeast Asia for financial gain and to steal data.
Malwarebytes and ThreatDown detect the Atlantida stealer as Spyware.Atlantida.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.