Microsoft Issues Urgent Windows Update Deadline

In a significant security alert, Microsoft has issued a new deadline for updating Windows PCs, following recent revelations about a major vulnerability. This development comes as a troubling follow-up to last week’s Patch Tuesday updates and underscores the critical nature of maintaining up-to-date software.

The vulnerability in question involves long-dormant Internet Explorer (IE) code embedded in countless Windows PCs. Despite IE’s obsolescence, this outdated code has been exploited by threat actors, revealing a severe security flaw. This issue has now been cataloged as CVE-2024-43461 by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which promptly added it to its Known Exploited Vulnerabilities (KEV) list.

CISA’s advisory highlights that CVE-2024-43461 pertains to a flaw within the Microsoft Windows MSHTML Platform. This vulnerability enables attackers to spoof web pages, presenting a significant risk. The exploitation of CVE-2024-43461 has been linked to CVE-2024-38112, a threat first reported in July. Check Point had previously raised alarms about attackers leveraging “special Windows Internet Shortcut files” to open URLs with Internet Explorer instead of modern browsers like Chrome or Edge. This tactic provides attackers with a notable advantage, even on systems running up-to-date versions of Windows 10 and 11.

To mitigate this risk, CISA has mandated that all Windows PCs must be updated by October 7, which is three weeks from today. This directive is primarily aimed at federal employees but is widely adopted by other organizations due to CISA’s role in guiding vulnerability management and threat response. For many, adhering to CISA’s guidelines is crucial in safeguarding against evolving threats.

The update scheduled for October addresses the CVE-2024-43461 vulnerability, while systems updated since July would have already patched CVE-2024-38112. According to Trend Micro’s Zero Day Initiative (ZDI), CVE-2024-43461 allows remote attackers to execute arbitrary code on affected systems. This code execution is triggered via a malicious webpage that users are deceived into visiting.

Microsoft has explained that the MSHTML platform, which is used by Internet Explorer mode in Microsoft Edge and other applications through WebBrowser control, is the source of the vulnerability. To ensure full protection, Microsoft recommends that users who installed Security Only updates also apply the IE Cumulative updates addressing this issue. The company has confirmed that CVE-2024-43461 was part of a broader attack chain involving CVE-2024-38112, with a fix for the latter released in the July 2024 security updates. This fix aimed to disrupt the attack chain; however, those who have not updated since then are still vulnerable.

In addition to this urgent update, the September Patch Tuesday also addresses four other zero-day vulnerabilities, with an October 1 deadline set by CISA for these fixes. This parallel set of mandates highlights the ongoing challenges in managing security updates and underscores the importance of keeping systems current. The coordination of these updates is reminiscent of recent parallel updates for Android and Chrome, reflecting the complex nature of modern cybersecurity management.

Trend Micro’s attribution of the MSHTML exploitation to the advanced persistent threat group “Void Banshee” emphasizes the severity of this issue. Void Banshee has been active across the U.S., Asia, and Europe, using zip archives containing malicious files disguised as book PDFs to lure victims. These files are distributed through cloud-sharing platforms, Discord servers, and online libraries. Trend Micro warns that the ability of APT groups like Void Banshee to exploit disabled services such as Internet Explorer poses a significant threat to global organizations.

Given the severity of the threat, CISA advises that users must either apply mitigations according to vendor instructions or discontinue the use of affected products if no mitigations are available. This means that updating your Windows PC is essential, or alternatively, powering down systems until updates are applied. This level of urgency is particularly notable against the backdrop of the ongoing migration from Windows 10 to Windows 11, which has left millions of PCs unsupported and vulnerable.

Check Point’s assessment of the MSHTML exploit underscores its unexpected nature, especially considering that Internet Explorer is no longer a primary browser for many users. The presence of such vulnerabilities in outdated software emphasizes the need for all users to apply the latest Microsoft patches immediately to protect themselves from potential attacks.

In summary, with the October 7 deadline rapidly approaching, it is crucial for all Windows PC users to address these vulnerabilities without delay. The update will not only address the immediate risks posed by CVE-2024-43461 but also contribute to broader security improvements across systems. Ensuring that your software is up to date is a fundamental step in protecting against the evolving landscape of cyber threats.