Microsoft confirms IE bug squashed in Patch Tuesday was exploited zero-day
The C in these CVEs stands for Confusing
Analysis Microsoft, in a low-key update to its September Patch Tuesday disclosures, has confirmed a just-fixed Internet Explorer vulnerability was exploited as a zero-day before it could be patched.
Redmond addressed the security bug – CVE-2024-43461, an "important" spoofing flaw with an 8.8-out-of-10 CVSS severity rating – in an update issued last week.
Back then Microsoft said the hole was not exploited in the wild. Now the software giant says it was exploited prior to patching, making it a zero day for a time.
Essentially, if you exploit CVE-2024-43461, you can hide from the user the true file-type extension of a file after it's finished downloading in Internet Explorer. That's a neat way, using non-printing braille Unicode characters, to trick someone into opening a file that looks like a harmless download but turns out to run malicious code. To pull that off in a practical way, a miscreant will likely have to combine that flaw with others, and more on that in a minute.
The flaw – technically a Windows MSHTML platform spoofing vulnerability – was reported to Microsoft by Peter Girnus at Trend Micro's Zero Day Initiative (ZDI), which last week described the hole thus:
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the way Internet Explorer prompts the user after a file is downloaded. A crafted file name can cause the true file extension to be hidden, misleading the user into believing that the file type is harmless. An attacker can leverage this vulnerability to execute code in the context of the current user.
Microsoft said its own staffers Michael Macelletti, Naiyi Jiang, and a person identified only as “Adel” found CVE-2024-43461 as well as ZDI's Girnus.
It turns out CVE-2024-43461 was earlier exploited in the wild by a Windows malware-spreading gang called Void Banshee that abused the flaw with another MSHTML platform spoofing vulnerability, CVE-2024-38112, to infect victims' systems.
The 38112 bug, patched in July and acknowledged at the time by Microsoft as being exploited in the wild, allows a specially crafted Windows Internet Shortcut file, a .url file, to force the victim's PC into opening a particular URL using the retired and dormant Internet Explorer.
Thus CVE-2024-38112 was used by Void Banshee to launch IE to exploit CVE-2024-43461, and trick the user into opening a downloaded malicious HTML Application (.hta) disguised as a harmless file, which ultimately ran the info-stealing Atlantida malware on their machine.
The victim would not know they were launching a .hta file due to the 43461 vulnerability. They would be lured into opening a .url file, then the spoofed application, and then have their private data – including saved website credentials – stolen by Atlantida. The swiped info would be exfiltrated to crooks to use.
In July, Microsoft credited Haifei Li at Check Point Research with discovering and reporting CVE-2024-38112, though ZDI felt it should have got some credit too for finding and disclosing the hole. Check Point went into detail here, on July 9, to explain how the 38112 flaw was exploited in the wild, and included a description of the trick used for hiding the .mta extension without quoting a CVE for that part.
Fast forward to this month, and ZDI said it privately disclosed the file-type-spoofing flaw, now known as CVE-2024-43461, on July 19 and it was fixed on September 10. Three days later, Microsoft updated its advisory for the vulnerability with the following note acknowledging 43461 was abused in the wild along with 38112:
CVE-2024-43461 was exploited as a part of an attack chain relating to CVE-2024-38112, prior to July 2024. We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain. Customers should [apply] both the July 2024 and September 2024 security update to fully protect themselves.
Patching the 38112 bug should have prevented the above exploit chain from working as expected, protecting targets, Microsoft argued.
Interestingly enough, in July when ZDI was protesting it should have received some credit for finding CVE-2024-38112, it told The Register it privately disclosed the IE launching aspect to Microsoft in May. The Trend team said as much in their own technical write-up on July 15, which also includes a description of the file-type-hiding bug.
Untangling this mess, we reckon ZDI and Check Point both pretty much found and reported the two bugs to Microsoft. Microsoft credited ZDI for finding the.hta file-extension hiding flaw (CVE-2024-43461) this month, after previously just being hat-tipped for reporting a "defense-in-depth" issue, and Check Point was named for the IE launching trick (CVE-2024-38112) in July.
Both vulnerabilities are now acknowledged as being exploited in the wild.
Indeed, the US government's CISA added CVE-2024-43461 to its known exploited vulnerabilities catalog on Monday, warning it has been "exploited in conjunction with CVE-2024-38112."
According to Check Point, CVE-2024-38112 was exploited for at least a year before Microsoft fixed the flaw.
Meanwhile, Girnus and fellow Trend Micro researcher Aliakbar Zahravi described Void Banshee as financially motivated, and said the gang targeted netizens in North America, Europe, and Southeast Asia to get info-stealing malware onto their Windows PCs.
- ZDI shames Microsoft for – yet another – coordinated vulnerability disclosure snafu
- Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack
- About that Windows Installer 'make me admin' security hole. Here's how it's exploited
- Adobe fixed Acrobat bug, neglected to mention whole zero-day exploit thing
When asked about the Friday update to September's Patch Tuesday disclosures, Dustin Childs, head of threat awareness at ZDI, told The Register it at least indicates ZDI reported the file-extension-hiding bug, now known as CVE-2024-43461, to Microsoft earlier this year. "It shows that Microsoft now confirms we did report this to them back in July," he said.
Childs also said the patch that month, for CVE-2024-38112, wasn't enough to fully kill off the pathway to exploitation, requiring September's CVE-2024-43461 update to close off the file-extension hole as well as the Internet Explorer resurrection.
"We spoke with them at length to help guide their understanding of what attacks we were seeing in the wild," Childs told us. "After many back-and-forth communications, they were able to understand what we were reporting was accurate and that the July patch was inadequate."
"The exploit being used in the wild combined a couple of different vulnerabilities," he elaborated.
"Microsoft believed the July patch blocked the exploit chain, but it still left the attack surface unprotected. We analyzed the July patch and reported that targets could still be exploited due to a spoofing vulnerability that was not fixed by Microsoft.
"We noticed attackers using the same techniques we discovered and notified Microsoft. It took us less than two hours of reverse engineering to reach this conclusion."
Childs said he's "pleased" Microsoft updated the security alert to reflect that CVE-2024-43461 is or was under attack. "That helps network defenders understand the actual threat to their enterprise and take appropriate actions," he said.
Microsoft declined to offer further comment on the matter. ®