Shawdesh Desk:

Here we go again. What was described as a “previously unknown” threat just three months ago has now prompted a third warning from the US government to update or stop using PCs. By exploiting old code buried under the covers of today’s Windows systems, it has quickly become clear that “a significant percentage of Windows devices are fully exposed and at risk of being taken over by attackers.”

The latest vulnerability is CVE-2024-43573, which the US cyber agency warns is “an unspecified spoofing vulnerability which can lead to a loss of confidentiality.” It has mandated all federal employees to “apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable” by October 29. In other words, update your PC within the next ten days, or stop using it until you can.

As ever, while CISA’s mandate applies only to federal staff, it’s intended “for the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity.” Given this is the third such exploitation of this type of vulnerability in a few weeks, and that the initial fixes clearly didn’t complete the job, all are well advised to update right away. “Don’t ignore this,” Trend Micro warns. “Test and deploy this update quickly.”

Timing-wise, the interesting twist with this October warning is the 900 million Windows 10 users yet to move to Windows 11, now just a year away from end-of-life meaning end of support, which will cut off those users from updates such as this. Worse, there are also a reported 50 million Windows users on even older legacy versions of the OS, which means their machines are wide open to these threats.The “previously unknown” threat that has now driven it’s third emergency update warning relates to MSHTML, which—as Check Point explains—is a “special Windows Internet Shortcut file, which, when clicked, call the retired Internet Explorer (IE) to visit the attacker-controlled URL… By opening the URL with IE instead of the modern and much more secure Chrome/Edge browser on Windows, the attacker gained significant advantages in exploiting the victim’s computer, although the computer is running the modern Windows 10/11 operating system.”

The first of these vulnerabilities, CVE-2024-38112, was disclosed in July and linked to infostealer attacks that Trend Micro attributed to APT group Void Banshee. Then in September, CISA added CVE-2024-43461 to its Known Exploited Vulnerability (KEV) catalog, warning it had been exploited “in conjunction with CVE-2024-38112.”

Disclosing the second of these MSHTML vulnerabilities, Trend Micro explained that “the specific flaw exists within the way Internet Explorer prompts the user after a file is downloaded. A crafted file name can cause the true file extension to be hidden, misleading the user into believing that the file type is harmless. An attacker can leverage this vulnerability to execute code in the context of the current user.”

As for CVE-2024-43573—the third MSHTML vulnerability in as many months and actually the fourth this year, with CVE-2024-30040 disclosed in May, Trend Micro says it “is also very similar to the bug patched back in July… There’s no word from Microsoft on whether it’s the same group, but considering there is no acknowledgment here, it makes us think the original patch was insufficient.”

Given that risk, that the original fixes for the MSHTML threat may have been “insufficient,” all Windows users should update now, ensuring that October’s Patch Tuesday updates are applied. There are clearly multiple active threats in the wild exploiting this “previously unknown” threat, and that will only get worse. Which also means that if you’re already out of support or may find yourself there in October 2025—with Windows 10’s end-of-life, you should consider your options.

Yet again, the complexity for Microsoft Windows users updating to address serious security threats risks being hampered by headline reports of bugs in the Windows update process that threaten to cause more issues than they resolve.

As Neowin reports, Microsoft has now confirmed “another bug causing blue screens of death in Windows 11 24H2.” This major, annual update thats could have been a Windows 12 given its scope, “has its own list of known bugs and issues, Neowin says. “Some of those issues are quite severe and cause blue screens of death… Now, however, we have another known bug that causes system crashes.”

There have been wider issues, but this one just seems to hit PCs with Voicemeeter installed. As XDA reports, “Voicemeeter is the culprit that forced Microsoft to put ‘a compatibility hold’ on Windows 11 PCs using this application. In simple words, PCs with the Voicemeeter application installed will not be updated to Windows 11, version 24H2 for now. Mind you, this is a temporary measure.”

If you do have Voicemeeter on your PC, don’t force an install in any way. Microsoft warns that “we recommend that you do not attempt to manually update to version 24H2 using the Windows 11 Installation Assistant or the media creation tool until this issue has been resolved,” explaining that “after installing Windows 11, version 24H2, you might experience issues with your device if you are running the Voicemeeter application. While using the Voicemeeter application, you might observe that your device encounters a blue screen with an error message indicating a MEMORY MANAGEMENT error… To safeguard your update experience, we have applied a compatibility hold on devices using this application. These devices will not be offered to install Windows 11, version 24H2 via the Windows Update release channel.”

“Microsoft isn’t at fault here,” says XDA. “Luckily, VB-Audio Software, the company that developed the Voicemeeter app, has started working on a resolution, but there is no clarity on how many days it’ll take for the team to fix the driver compatibility issue.” For those affected users, just ensure you have the latest Windows update still available to you installed, ensuring security vulnerabilities are patched. The same is true for others experiencing such update issues, including those with Asus devices.