“This month, Microsoft patched two zero-day vulnerabilities that were exploited in the wild.

“CVE-2024-43573 is a spoofing bug in the Windows MSHTML platform. It’s the fourth zero-day vulnerability in MSHTML that was exploited in the wild in 2024 – preceded by CVE-2024-30040, CVE-2024-38112, and CVE-2024-43461.

“CVE-2024-38112, a spoofing bug in MSHTML, was exploited by an advanced persistent threat (APT) actor called Void Banshee. Last month, it was discovered that Void Banshee utilized CVE-2024-38112 and CVE-2024-43461 as part of an exploit chain.

“We have no details at this time regarding the in-the-wild exploitation of CVE-2024-43573, but it highlights a valuable attack path being leveraged by threat actors currently. User interaction is required to exploit all of these MSHTML flaws, which typically utilises some type of social engineering.

“CVE-2024-43572 is a code execution flaw in Microsoft Management Console (MMC) that was also exploited in the wild as a zero-day. While we don’t have any specific details about the in-the-wild exploitation of CVE-2024-43572, this patch arrived a few months after researchers disclosed an attack technique called GrimResource that leveraged an old cross-site scripting (XSS) vulnerability combined with a specially crafted Microsoft Saved Console (MSC) file to gain code execution privileges. Although Microsoft patched a different MMC vulnerability in September (CVE-2024-38259) that was neither exploited in the wild nor publicly disclosed. Since the discovery of CVE-2024-43572, Microsoft now prevents untrusted MSC files from being opened on a system.”- Satnam Narang, Senior Staff Research Engineer, Tenable