Attackers are exploiting CVE-2021-40444, a zero-day remote code execution vulnerability in MSHTML (the main HTML component of the Internet Explorer browser), to compromise Windows/Office, Microsoft has warned on Tuesday. Tricking victims into running malicious executables remains a popular method for getting a foothold into organizations.
Numerous attempts to exploit MSHTML to compromise Microsoft Windows have been observed in the second week of Sept 2021, and there are reports that Microsoft is investigating a remote code execution vulnerability in MSHTML. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially crafted Microsoft Office documents.
Microsoft is aware of the targeted attacks and has shared the vulnerability uses malicious ActiveX controls to exploit Office 365 and Office 2019 on Windows 10 to download and install malware on an affected computer. The exploit uses logical flaws which makes the exploitation is perfectly reliable as well as dangerous.
Image Source: Twitter
Microsoft has also shared mitigations to prevent ActiveX controls from running in Internet Explorer, effectively blocking the current attacks. However, security researcher Kevin Beaumont has already discovered a way to bypass Microsoft’s current mitigations to exploit this vulnerability.
With these bypasses and additional use cases, CVE-2021-40444 has become even more severe than initially thought.
Affected products
Microsoft Windows/Office.
Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
Mitigation
Defenders should be on the lookout for documents that contain any of the following objects:
Shell.Explorer.1 / {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
Forms.HTML:Image.1 / {5512D112-5CC6-11CF-8D67-00AA00BDCE1D}
Forms.HTML:Submitbutton.1 / {5512D110-5CC6-11CF-8D67-00AA00BDCE1D}
Microsoft Defender Antivirus and Microsoft Defender for Endpoint provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.
Workaround
Per the MS advisory, disabling the installation of all ActiveX controls in Internet Explorer mitigates this attack. This can be accomplished for all sites by configuring the Group Policy using your Local Group Policy Editor or by updating the registry. Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability.
Workaround Detection
Qualys Policy Compliance customers can do evaluation by the following controls:
-
- 22259 Status of the ‘Download signed ActiveX controls’ setting (Local Machine Zone) – Internet Explorer
- 11763 Status of the ‘Download signed ActiveX controls’ setting (Internet Zone) (Internet Explorer)
- 11784 Status of the ‘Download unsigned ActiveX controls’ setting (Intranet Zone)
- 11764 Status of the ‘Download unsigned ActiveX controls’ setting (Internet Zone) (Internet Explorer)
- 22260 Status of the ‘Download unsigned ActiveX controls’ setting (Local Machine Zone) – Internet Explorer
- 11804 Status of the ‘Download unsigned ActiveX controls’ setting (Trusted Sites Zone)
- 11783 Status of the ‘Download signed ActiveX controls’ setting (Intranet Zone)
- 11803 Download signed ActiveX controls (Trusted Sites Zone)
A complete set of workarounds/mitigations can be found on official MS advisory.
Qualys Detection
Qualys customers can scan their network with QID 91814 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References and Sources
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
https://github.com/felixweyne/imaginaryC2/tree/master/examples/use-case-10-CVE-2021-40444
https://github.com/Udyz/CVE-2021-40444-Sample
https://www.youtube.com/watch?v=Oz16xte5UeU
https://twitter.com/JAMESWT_MHT/status/1433282944156815361