Attackers are exploiting zero-day RCE flaw to target Windows users (CVE-2021-40444)
Attackers are exploiting CVE-2021-40444, a zero-day remote code execution vulnerability in MSHTML (the main HTML component of the Internet Explorer browser), to compromise Windows/Office users in “a limited number of targeted attacks,” Microsoft has warned on Tuesday.
About CVE-2021-40444 and the attacks
CVE-2021-40444 is a set of logical flaws that can be leveraged by remote, unauthenticated attackers to execute code on the target system.
The current attacks were detected by Microsoft, Mandiant, and Expmon researchers. The latter say that they’ve reliably reproduced the attack on Windows 10:
We have reproduced the attack on the latest Office 2019 / Office 365 on Windows 10 (typical user environment), for all affected versions please read the Microsoft Security Advisory. The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous).
— EXPMON (@EXPMON_) September 7, 2021
The attackers are flinging specially-crafted Microsoft Office documents at targets.
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document,” Microsoft explained.
The company also noted that “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” and that Microsoft Office opens documents from the internet in Protected View or Application Guard for Office by default, and that this prevents the current attacks.
Unfortunately, users are often tricked into opening documents from untrusted sources and to exit the Protected View.
To contextualise this, Protected View also protects against macros.. which are the single biggest source of malware in the security industry, as “Enable Content” in the UI disables it.
Application Guard for Office is an E5 only feature and isn’t used to open docs by default. pic.twitter.com/IiaCic9EWJ
— Kevin Beaumont (@GossiTheDog) September 7, 2021
Until a patch is released, Microsoft has advised admins to disable ActiveX in Internet Explorer to mitigate the risk (instructions on how to do it are included in the security advisory).
“At this point, it should be pretty low impact to disable ActiveX, but of course, there may be individual enterprise applications that still use ActiveX,” noted Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute.