Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444)

On 7 Sep, Microsoft has reported a vulnerability has recently been reported affecting various versions of Windows and Windows Servers by using specially-crafted Microsoft Office documents.

 

Background

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft has released https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 to track the information.

 

Severity Level

  • Critical

 

Affected OS

  • Windows versions:  8.1 – 10
  • Windows Server versions:  2008, 2012, 2016, 2019

 

Current Protection

  • On 14 September    2021, Microsoft released security updates to address this vulnerability.  Please install these updates immediately.
  • Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability.
  • Kaspersky recommends to enable KSN “Kaspersky Security Network” and “Exploit Prevention” for protection.  Now it can also detect these threats based on this vulnerability:
    • HEUR:Trojan.MSOffice.Agent.gen
    • HEUR:Exploit.MSOffice.CVE-2021-40444.a
    • PDM:Exploit.Win32.Generic
  • Palo Alto Firewall can now detect some threats (ID 91602, 91603 and 91605) based on this vulnerability.

Recommendations

  • Do not open suspicious document.  By default Microsoft Office will open documents from the internet in Protected View mode.  The attacker will try to convince the user to disable the protection by pretending to be from a trusted source.  Please verify with the source before doing so.
  • Disabling the installation of all ActiveX controls in Internet Explorer as described in the Microsoft document.
  • As always, users should use account with Standard User Right for their daily works.  This will significantly reduce secure risk.

 

Reference

 

Enquiry

 

 

 

Published on: 9 Sep 2021