Microsoft MSHTML Remote Code Execution Vulnerability Threat Intel Advisory

Summary

Researchers detected the vulnerability CVE-2021-40444 that targets a remote code execution flaw in MSHTML used to render web content inside Office documents

Category Vulnerability Intelligence
Vulnerability Class Remote Code Execution
CVE id CVE-2021-40444
CVSS:3.0 Score 8.8
TLP # GREEN
Reference *Intelligence source and information reliability - Wikipedia

Executive Summary

  • Microsoft Mandiant, and Expmon researchers have detected a vulnerability, tracked as CVE-2021-40444, that targets a remote code execution flaw in MSHTML, used in Microsoft Office to render web content inside Word, Excel, and PowerPoint documents.
  • The zero-day vulnerability is actively exploited by threat actors and Office users are targeted through client-side attack vectors.
  • Microsoft has updated Windows Defender Antivirus and Windows Defender for Endpoints to defend against this vulnerability.
  • Assets can be protected against the attack by following the guidelines recorded in the Impact & Mitigation section of this advisory.

Analysis

Trident, popularly known as the MSHTML , is a browser engine developed by Microsoft for Internet Explorer. The Microsoft Office suite supports MSHTML, which has a remote code execution vulnerability (CVE-2021-40444) that attackers are increasingly exploiting to gain code execution on targeted systems. At present, Microsoft has not disclosed the technical details of the vulnerability.

  • Threat actors craft a malicious ActiveX control which is then used in Office documents that host MSHTML.
  • The logical flaw in MSHTML is triggered when the user opens the malicious document.
  • However, Protected View/ Application Guard in Microsoft Office applications is capable of defending against these targeted attacks.
  • Microsoft has updated Defender for Endpoints, to flag such attacks with an alert that reads “Suspicious Cpl File Execution.”
  • Microsoft has not released a patch for this zero-day vulnerability, but TTPs (Techniques tactics and procedures) for this vulnerability have been updated in Windows Defender.
  • Additionally, an official Microsoft advisory that includes a workaround has been included in the following section.

Impact & Mitigation

image

image

1 Like