Insights | Integrity360

MSHTML Critical Vulnerability Advisory

Written by Admin | 10 September 2021 12:18:26 Z

Security Update (14/09/2021)

Microsoft’s “Patch Tuesday” has included a fix for CVE-2021-40444. You can find the patch details for each Operating System version here. This round of updates also fixes 85 other vulnerabilities as shown here.

This week, Microsoft disclosed a newly discovered remote code execution vulnerability in MSHTML that affects Microsoft Windows. Integrity360 can confirm that it is actively being exploited in the wild.

The threat

CVE-2021-40444 (CVSS score: 3.0 8.8 / 7.9 - as of 10/09/2021)
This vulnerability allows an attacker to create a weaponised ActiveX control that is then executed by the MSHTML browser rendering engine. The ActiveX control is embedded in a deceptively legitimate Microsoft Office document that is then delivered to targets via email as an attachment. It was originally thought that only Office documents could be weaponised to exploit this vulnerability, but a new development by researcher Rich Warren shows that it can be used to exploit RTF (Rich Text Format) documents even in Preview Mode. Further research could reveal that this vulnerability affects even more than just Microsoft Office documents and RTF files. Watch this space.

The impact

Integrity360 has observed multiple real cases of the vulnerabilities being exploited in the wild as of the time this advisory was written. Organisations with weak anti-phishing strategies will be hit the hardest by this. Integrity360 will continue to monitor our customer’s estates and the wild with extra care and due diligence for threat actors looking to capitalise on these critical vulnerabilities.

Recommendations

  • Ensure that all employees are to be extremely vigilant when it comes to attachments in emails and phishing emails in general.
  • There is no patch at the moment, however a number of temporary workarounds to disable ActiveX can be found here.

Affected systems

Product: All Microsoft Windows Operating Systems until further information is disclosed.

More information