CVE-2024-43573

What is Windows MSHTML?

The Microsoft HTML engine (MSHTML/Trident) is the legacy Internet Explorer rendering engine baked into Windows. Even though Internet Explorer was retired in 2022, MSHTML remains present on all Windows systems and can be invoked through Windows shell mechanisms — specifically .url internet shortcut files and the mhtml: URI handler. MSHTML's persistence in Windows as a legacy component while lacking the security updates and sandboxing of modern browsers creates a recurring attack surface. Vulnerabilities that allow Windows to silently invoke MSHTML when a user interacts with a file give attackers access to an old, under-maintained attack surface.

Overview

CVE-2024-43573 is a zero-day spoofing vulnerability in the Windows MSHTML platform, patched and added to CISA KEV simultaneously on October 8, 2024 (October Patch Tuesday). It is a direct follow-on to CVE-2024-38112 — the earlier MSHTML spoofing zero-day from July 2024 that Void Banshee APT used to deploy the Atlantida credential stealer. Microsoft's July patch blocked one exploitation path, but attackers adapted, finding a related technique that remained exploitable, resulting in this second MSHTML spoofing zero-day within three months.

Affected Versions

Technical Details

CWE-79 (Cross-Site Scripting / Spoofing). The vulnerability involves the Windows MSHTML platform being invokable through specially crafted files in a way that allows an attacker to spoof web content presented to the user. Similar to CVE-2024-38112, the attack vector involves .url shortcut files or related Windows shell integration mechanisms that trigger MSHTML rendering — exposing the legacy engine's weaker security model to content supplied by an attacker. The spoofing enables attackers to present convincing but malicious web content in what appears to be a trusted context, facilitating credential theft or code execution through MSHTML's legacy scripting capabilities (jscript9.dll / Internet Explorer mode).

The confidentiality impact (C:H) reflects that the primary exploitation goal is credential and data theft — the legacy scripting environment and spoofed content can be used to harvest authentication tokens, credentials, and sensitive data from victims who interact with the malicious file.

Discovery

Attributed to active exploitation by Void Banshee APT, the same threat actor that weaponized the predecessor CVE-2024-38112 in targeted attacks against organizations in North America, Europe, and Southeast Asia. The rapid reappearance of a related technique within three months of the prior patch indicates Void Banshee had multiple MSHTML exploitation techniques prepared and adapted when the first was blocked.

Exploitation Context

Void Banshee is an information-stealing threat actor targeting organizations with a focus on credential and sensitive data theft for financial gain. Their MSHTML exploitation technique involves distributing malicious files (often sent via email, shared file links, or dropped alongside pirated software) that silently invoke MSHTML when the victim double-clicks or previews them. The result is an invisible Internet Explorer instance that loads attacker-controlled content and executes legacy JavaScript to deploy information stealers such as Atlantida. The recurring exploitation of MSHTML zero-days by this actor reflects systematic testing of Windows' legacy component attack surface.

Remediation

1. Apply the October 2024 Windows security updates (Patch Tuesday, October 8, 2024) to all affected systems.
2. Ensure the July 2024 patch for CVE-2024-38112 is also applied — both patches are needed to fully address this MSHTML attack surface.
3. Use Group Policy to disable the Internet Explorer rendering engine (DisableInternetExplorerApp) where not required — this reduces but does not fully eliminate the MSHTML attack surface.
4. Block .url files from being delivered via email by configuring mail gateway rules to strip or quarantine internet shortcut attachments.
5. Enable Windows Defender Attack Surface Reduction rules, particularly those blocking execution of content from untrusted sources, to limit Void Banshee's delivery mechanism effectiveness.