Overview
A zero-day vulnerability in MSHTML (CVE-2021-40444) allows malicious actors to conduct Remote Code Execution (RCE) attacks via specially-crafted Microsoft Office documents.
Description
Microsoft warned on Tuesday of a zero-day vulnerability in MSHTML (CVE-2021-40444) that is known to be exploited in the wild by the malicious actors for targeted attacks. Specifically, the vulnerability exists in the MSHTML that is hosted in Microsoft Office documents.
MSHTML
Introduced with Microsoft Internet Explorer, MSHTML is the main HTML component of the Internet Explorer and is being used in Microsoft Office applications for rendering HTML content.
According to Microsoft, attackers could create a malicious ActiveX control to be executed in MSHTML hosted by a Microsoft Office document. To conduct a successful attack, adversaries would also have to convince the targeted users to open the malicious documents via social engineering techniques such as phishing.
As a result of a successful attack, adversaries could gain the same level of privileges with the targeted users. In this respect, Microsoft warns that users operating with administrative user rights would be affected more seriously than the users running accounts with limited rights, if an attack occurs.
Note that the attacks due to the MSHTML vulnerability can be thwarted if the default unprivileged run configuration for the ActiveX controls is not changed by the users when opening a maliciously crafted Microsoft Office document. Additionally, Microsoft notes that both Microsoft Defender Antivirus and Microsoft Defender for Endpoint can provide detections and protections for this vulnerability.
Impact
A successful exploitation of the CVE-2021-40444 vulnerability could lead a remote attacker to gain full control of the system and run arbitrary code with SYSTEM privileges. After gaining elevated privileges attackers can install arbitrary programs and can view, change or delete unauthorized data on the system.
Impact Summary
Category: Remote Code Execution (RCE)
CVSS 3.1 Base Score: 8.8 High
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Solution
Currently, there is no available patch to remediate the CVE-2021-40444 vulnerability. However, Microsoft is expected to issue a patch with this month’s Patch Tuesday updates.
Microsoft declares that both Microsoft Defender Antivirus and Microsoft Defender for Endpoint can provide detection and protections for the this vulnerability. Thus, currently users are advised to keep their anti-malware products up to date.
Users also should keep an eye on social engineering attacks such as phishing, that could be conducted by maliciously crafted Microsoft Office documents.
Also, as a mitigation, ActiveX controls in Internet Explorer should be disabled by users, as suggested by Microsoft.
Social engineering is using deception, manipulation and influence to convince a human who has access to a computer system to do something, like click on an attachment in an e-mail.
Kevin Mitnick
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- NVD (CVE-2021-40444)
- Microsoft Security Response Center (MSRC) Update Guide (CVE-2021-40444)
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
