Hackers Exploit a New Windows Vulnerability to Perform a Zero-Day Attack on Disable Internet Explorer

Advisory ID: NCC-CSIRT-170924-009

Summary: 

Researchers from Trend Micro's Zero Day Initiative have discovered a newly identified Windows vulnerability, exploited as a zero-day to execute code via the disabled Internet Explorer browser. This vulnerability, tracked as CVE-2024-43461, is classified as a high-severity issue. It was addressed in a patch released on Tuesday, September 10, 2024, over two months after it had already been exploited in the wild.

Threat Type(s): Vulnerability, Zero-Day Attack

Impact/Vulnerability: CRITICAL/HIGH

Product(s): MS Windows

Platform(s): Internet Explorer bowser

Version(s): All Versions

Description: 

The research revealed that the security flaw is a spoofing vulnerability in a component of Internet Explorer’s Web Archive file format. This format combines HTML code and its related resources (such as images) into a single file, even when these resources are linked externally in the webpage's HTML. Despite Internet Explorer being disabled, the platform remains in Windows and is still utilized by certain applications in specific scenarios.

The vulnerability arises from how Internet Explorer handles user prompts after a file download. A maliciously crafted file name can conceal the true file extension, tricking users into thinking the file is safe. Exploiting this flaw, an attacker could execute code under the current user’s privileges.

Solution: 

The vulnerability identified as CVE-2024-43461 was exploited as part of an attack chain involving the CVE-2024-38112 flaw prior to July 2024. To ensure complete protection against this threat, users are advised to install both the Windows July 2024 security updates, which addressed CVE-2024-38112, as well as the Windows September 2024 updates. Links to the relevant security updates are provided below:

https://support.microsoft.com/en-us/topic/july-9-2024-kb5040437-os-build-20348-2582-5b28d9b8-fcba-43bb-91e6-062f43c7ec7c

https://support.microsoft.com/en-us/topic/september-10-2024-kb5043076-os-builds-22621-4169-and-22631-4169-215aad1e-3f3f-44bd-9868-91a2bd450a07

References:

• https://www.securityweek.com/microsoft-says-recent-windows-vulnerability-exploited-as-zero-day/

• https://www.securityweek.com/apt-exploits-windows-zero-day-to-execute-code-via-disabled-internet-explorer/

• https://www.securityweek.com/microsoft-says-windows-update-zero-day-being-exploited-to-undo-security-fixes/

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43461

• https://www.zerodayinitiative.com/advisories/ZDI-24-1207/