Similar to what happened in July, hackers have used Microsoft Explorer’s long-forgotten code hidden inside millions of PCs to launch assaults, leaving a security hole.
The U.S. government’s cybersecurity agency added this threat, CVE-2024-43461, to its Known Exploited Vulnerabilities (KEV) catalog, stating a warning, “Microsoft Windows MSHTML Platform contains a user interface (UI) misrepresentation of critical information vulnerability that allows an attacker to spoof a web page.”
CISA revealed that CVE-2024-43461 has been exploited “in conjunction with CVE-2024-38112.”
According to CISA regulations, every Windows PC must be updated by October 7, which is three weeks from now. It applies to federal personnel along with private and public companies.
Any PC updated after July might have already addressed one of two vulnerabilities in the chain. The recent update will address the second threat that “allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows.”
Microsoft says, “The MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control… To stay fully protected, we recommend that customers who install Security Only updates install the IE Cumulative updates for this vulnerability.”
September’s Patch Tuesday addresses four other zero-days that prompted an October 1 CISA update deadline, along with MSHTML vulnerabilities.
CISA says that users must “apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.” It means that the users must update or power down their Windows PCs.
Check Point labels the MSHTML exploit as “especially surprising… leveraging Internet Explorer, which many users may not realize is even on their computer… all users [should] immediately apply the Microsoft patch to protect themselves.”
