CVE-2024-43461

What is the Windows MSHTML Platform?

MSHTML (Trident) is the rendering engine that powered Internet Explorer and remains in Windows as a system component used by some legacy applications and the IE mode in Microsoft Edge. Despite Internet Explorer's retirement, MSHTML is still installed on all Windows systems and can be invoked by applications and protocol handlers. The MSHTML platform processes HTML, runs scripts, and handles the rendering of web content in contexts outside of modern browsers — making vulnerabilities in it relevant even for organizations that have fully migrated to Edge or Chrome.

Overview

CVE-2024-43461 is a UI spoofing vulnerability in the Windows MSHTML Platform that allowed the Void Banshee APT to bypass the fix for CVE-2024-38112 (a July 2024 MSHTML zero-day) by using braille space characters to conceal the .hta (HTML Application) file extension from Windows file dialogs. When a user was presented with a file dialog triggered by a crafted URL, the extension was hidden by padding with braille blank characters, making a malicious .hta file appear to have a benign extension. This deceived users into opening the file, which MSHTML executed as an HTA script — enabling code execution. CISA added it to the KEV catalog six days after the September 2024 patch, reflecting known prior exploitation in the Void Banshee campaign.

Affected Versions

Technical Details

CWE-451 (User Interface Misrepresentation of Critical Information). Windows file dialogs display a file's name and extension to help users make trust decisions before opening a file. The vulnerability exploits the fact that braille blank characters (Unicode U+2800 BRAILLE PATTERN BLANK) are invisible in the file dialog UI but are accepted as part of a filename. By appending dozens of braille blanks before the .hta extension, a filename could be crafted such that the visible portion showed a plausible-looking .pdf or other benign extension while the actual executable extension .hta was pushed off-screen.

.hta (HTA) files are executed by the Windows mshta.exe process using MSHTML, providing full scripting capabilities (VBScript, JScript) outside any browser security sandbox. Executing an HTA file is equivalent to running an arbitrary script with user-level privileges — no browser sandbox containment applies.

Discovery

Discovered by Peter Girnus of Trend Micro's Zero Day Initiative (ZDI) who was tracking the Void Banshee APT campaign. The exploitation of CVE-2024-43461 was specifically used as a bypass after Microsoft's July 2024 patch for CVE-2024-38112 disrupted the earlier version of the campaign.

Exploitation Context

Void Banshee is an APT group targeting North America, Europe, and Southeast Asia for information theft. The group's campaign used CVE-2024-38112 (July 2024) and then CVE-2024-43461 (as a bypass after the first vulnerability was patched) to deliver the Atlantida information stealer — a credential-harvesting malware that extracts passwords, cookies, and sensitive data from browsers and applications. The deliberate bypass of a Microsoft patch within the same year demonstrates the group's technical capability and persistence in maintaining their exploitation chain.

Remediation

1. Apply the September 2024 Windows security updates (Patch Tuesday, September 10, 2024) — this patches both CVE-2024-43461 and implements additional hardening of the file dialog to prevent extension spoofing via Unicode tricks.
2. Disable mshta.exe execution via AppLocker, Windows Defender Application Control, or Attack Surface Reduction rules if HTA files are not legitimately used in your environment.
3. Block .hta files at the email gateway and web proxy to prevent phishing delivery.
4. Disable or remove IE mode from Microsoft Edge if it is not required for business purposes.