Analysis In a low-key update to its September Patch Tuesday disclosure, Microsoft has confirmed that a newly patched vulnerability in Internet Explorer was exploited as a zero-day before it could be patched.

Redmond fixed the security flaw — CVE-2024-43461, a "critical" spoofing flaw with an 8.8-out-of-10 CVSS severity rating — in an update issued last week.

At the time, Microsoft said the hole was not being exploited in the wild. Now the software giant says it was exploited before the patch, making it a zero-day for a time.

Essentially, exploiting CVE-2024-43461 allows you to hide from the user the true file extension of a file after it has been downloaded in Internet Explorer. It's a neat way, using non-printable Unicode characters, to trick someone into opening a file that looks like a harmless download but turns out to run malicious code. To pull that off in a practical way, a villain would probably have to combine that flaw with others, and more on that in a minute.