The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert to U.S. federal agencies regarding a newly patched Windows zero-day vulnerability, identified as CVE-2024-43461. This MSHTML spoofing flaw was initially deemed unexploited, but Microsoft has since confirmed that it was actively used by the Void Banshee APT hacking group before a fix was available. The vulnerability, part of a broader exploit chain that includes CVE-2024-38112, allows attackers to execute arbitrary code on vulnerable systems through maliciously crafted files or webpages.
The CVE-2024-43461 vulnerability specifically affects the way Internet Explorer handles downloaded files, potentially misleading users by disguising the true file extension. This can trick users into believing a file is harmless, thereby enabling attackers to execute code in the context of the current user’s session. Attackers have exploited this flaw to deliver information-stealing malware, such as Atlantida, which targets sensitive data including passwords, authentication cookies, and cryptocurrency wallets.
In response to the active exploitation of this vulnerability, CISA has added it to its Known Exploited Vulnerabilities catalog and has mandated that federal agencies address the flaw within three weeks, by October 7, 2024. This directive is part of CISA’s Binding Operational Directive (BOD) 22-01, which emphasizes the urgency of patching vulnerabilities that pose significant risks to federal systems. The agency has stressed that such vulnerabilities are frequent targets for malicious actors and pose serious threats to the security of federal operations.
While CISA’s directive primarily concerns federal agencies, private organizations are also advised to prioritize the patching of this vulnerability to mitigate ongoing risks. Microsoft’s September 2024 Patch Tuesday updates also addressed other actively exploited zero-days, including CVE-2024-38217, which has been used to bypass security features. Organizations are encouraged to stay vigilant and implement all available updates to protect against these evolving threats.
