Microsoft and CISA say you must update Windows or face the consequences
Time is running out for Windows users, as Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a clear warning: update your systems now or risk severe security vulnerabilities. A new exploit involving outdated Internet Explorer code threatens the security of millions of PCs. Despite Internet Explorer being largely forgotten, the remnants of its code have opened up a major vulnerability, and hackers are already exploiting it.
CISA recently added a new vulnerability, CVE-2024-43461, to its Known Exploited Vulnerabilities (KEV) catalog. This exploit, rooted in the MSHTML platform within Windows, allows hackers to spoof web pages and trick users into visiting malicious sites. Coupled with another vulnerability from July (CVE-2024-38112), this issue forms a dangerous attack chain that leaves any unpatched PC exposed. If your PC hasn’t received the latest updates, your system may be at risk.
a
Microsoft and CISA warn against another global crisis
Federal agencies have been given until October 7, 2024, to address this vulnerability. However, this deadline isn’t just for government offices; anyone with a Windows PC should prioritize installing the updates. Microsoft fixed part of the vulnerability in their July 2024 Patch Tuesday update, addressing CVE-2024-38112. The most recent update, part of September’s Patch Tuesday, closes the remaining gap, specifically patching CVE-2024-43461. Together, these fixes prevent remote attackers from gaining access to your system through malicious web pages or files.
If you’ve already updated since July, you might think you’re in the clear. However, if you haven’t kept up with the latest patches, your system is still exposed. In a statement, Microsoft noted that while they addressed the initial threat chain earlier in the year, the full resolution wasn’t available until this latest update. Ignoring this fix leaves your PC vulnerable to remote code execution attacks, where hackers can gain control of your computer simply by tricking you into clicking a malicious link.
As you may remember, there were global cyber disasters over a software update by CrowdStrike. This update does not have such side effects, but it may have a domino effect on Windows built on top of the old one. Therefore, it is recommended to take precautions.
a
The MSHTML exploit: A backdoor in disguise
The MSHTML platform, though outdated, remains a part of modern Windows systems due to its use in Internet Explorer mode in Microsoft Edge. Attackers have figured out how to leverage this hidden code to launch their attacks. Security researchers from Trend Micro’s Zero Day Initiative (ZDI) explain that this vulnerability allows hackers to disguise malicious files, tricking users into thinking they are harmless. Once opened, these files can execute code and grant attackers access to your system.
One particularly troubling detail is that hackers are targeting unsuspecting users through popular cloud-sharing platforms, Discord servers, and even online libraries. Files are being disguised as harmless PDFs or other documents, but hidden within are the malicious elements needed to exploit the MSHTML flaw. The cybersecurity group Void Banshee, known for targeting organizations across North America, Asia, and Europe, has been linked to these attacks, using them to steal sensitive information such as passwords and cryptocurrency wallets.
a
Why this update matters now
For anyone wondering why they should take this latest security threat seriously, consider the broader impact. Federal agencies are required by law to patch these vulnerabilities, and this urgency should be a signal to private individuals and organizations as well. Attackers have been using the MSHTML vulnerability to bypass modern browser protections, exploiting Internet Explorer’s dormant code even on Windows 10 and 11 machines. The fact that a long-obsolete browser is being used as a gateway for modern attacks is reason enough to act now.
Check Point, a leading cybersecurity firm, highlights the surprising nature of this exploit, stating that many users don’t even realize Internet Explorer is still on their systems. The fix is simple: install the Microsoft patch. But until you do, your system is at risk.