Time is running out for Windows users, as Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a clear warning: update your systems now or risk severe security vulnerabilities. A new exploit involving outdated Internet Explorer code threatens the security of millions of PCs. Despite Internet Explorer being largely forgotten, the remnants of its code have opened up a major vulnerability, and hackers are already exploiting it.
CISA recently added a new vulnerability, CVE-2024-43461, to its Known Exploited Vulnerabilities (KEV) catalog. This exploit, rooted in the MSHTML platform within Windows, allows hackers to spoof web pages and trick users into visiting malicious sites. Coupled with another vulnerability from July (CVE-2024-38112), this issue forms a dangerous attack chain that leaves any unpatched PC exposed. If your PC hasn’t received the latest updates, your system may be at risk.
Microsoft and CISA warn against another global crisis
Federal agencies have been given until October 7, 2024, to address this vulnerability. However, this deadline isn’t just for government offices; anyone with a Windows PC should prioritize installing the updates. Microsoft fixed part of the vulnerability in their July 2024 Patch Tuesday update, addressing CVE-2024-38112. The most recent update, part of September’s Patch Tuesday, closes the remaining gap, specifically patching CVE-2024-43461. Together, these fixes prevent remote attackers from gaining access to your system through malicious web pages or files.
If you’ve already updated since July, you might think you’re in the clear. However, if you haven’t kept up with the latest patches, your system is still exposed. In a statement, Microsoft noted that while they addressed the initial threat chain earlier in the year, the full resolution wasn’t available until this latest update. Ignoring this fix leaves your PC vulnerable to remote code execution attacks, where hackers can gain control of your computer simply by tricking you into clicking a malicious link.
As you may remember, there were global cyber disasters over a software update by CrowdStrike. This update does not have such side effects, but it may have a domino effect on Windows built on top of the old one. Therefore, it is recommended to take precautions.
The MSHTML exploit: A backdoor in disguise
The MSHTML platform, though outdated, remains a part of modern Windows systems due to its use in Internet Explorer mode in Microsoft Edge. Attackers have figured out how to leverage this hidden code to launch their attacks. Security researchers from Trend Micro’s Zero Day Initiative (ZDI) explain that this vulnerability allows hackers to disguise malicious files, tricking users into thinking they are harmless. Once opened, these files can execute code and grant attackers access to your system.
One particularly troubling detail is that hackers are targeting unsuspecting users through popular cloud-sharing platforms, Discord servers, and even online libraries. Files are being disguised as harmless PDFs or other documents, but hidden within are the malicious elements needed to exploit the MSHTML flaw. The cybersecurity group Void Banshee, known for targeting organizations across North America, Asia, and Europe, has been linked to these attacks, using them to steal sensitive information such as passwords and cryptocurrency wallets.
Why this update matters now
For anyone wondering why they should take this latest security threat seriously, consider the broader impact. Federal agencies are required by law to patch these vulnerabilities, and this urgency should be a signal to private individuals and organizations as well. Attackers have been using the MSHTML vulnerability to bypass modern browser protections, exploiting Internet Explorer’s dormant code even on Windows 10 and 11 machines. The fact that a long-obsolete browser is being used as a gateway for modern attacks is reason enough to act now.
Check Point, a leading cybersecurity firm, highlights the surprising nature of this exploit, stating that many users don’t even realize Internet Explorer is still on their systems. The fix is simple: install the Microsoft patch. But until you do, your system is at risk.
🛡️ We added #Microsoft Windows & #Progress WhatsUp vulnerabilities, #CVE-2024-43461 & CVE-2024-6670, to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/dOIn6I9vuB & apply mitigations to protect your org from cyberattacks. #Cybersecurity #InfoSec pic.twitter.com/zmADn0MgpG
— CISA Cyber (@CISACyber) September 16, 2024
What happens if you don’t update?
If you’re thinking of waiting for this one out, think again. CISA has explicitly warned that failure to update could result in serious breaches. With a wide range of malicious actors exploiting this flaw, the consequences of inaction could be dire. Whether it’s personal data theft, financial loss, or worse, the risks of not patching your system are too high to ignore. As Void Banshee continues to target vulnerable systems, the clock is ticking for all users to take action.
Although CISA’s warnings are aimed at federal agencies, private companies, and everyday users are equally vulnerable. If you’re using a Windows system, especially one that hasn’t been updated recently, you’re potentially a target. Microsoft has emphasized the importance of installing both the July and September patches to fully protect your PC. Ignoring these updates leaves your system susceptible to exploitation by hackers looking to steal sensitive information.
With just a few weeks left, there’s no time to hesitate. Microsoft says this is a critical update that could make your system more secure. If your PC hasn’t been updated since July, you’ve missed a deadline. Don’t miss this one. Update your Windows system by October 7 to avoid a cyberattack. Update now or face the consequences. The MSHTML vulnerability is real, and the clock is ticking for anyone still running an unpatched version of Windows. Don’t wait for hackers to exploit your system. Secure your PC before it’s too late.
Image credits: Furkan Demirkaya / Ideogram