momius - stock.adobe.com

Latest Microsoft zero-day being actively exploited

New Microsoft zero-day CVE-2021-40444 affects multiple versions of Windows and is probably being exploited through convincing phishing attacks

Security analysts are once again warning of another zero-day vulnerability in Microsoft products after reports emerged of active exploitation of CVE-2021-40444, a remote code execution (RCE) vulnerability in the MSHTML component of Internet Explorer (IE) on Windows 10 and several Windows Server versions.

The zero-day was uncovered by researchers from EXPMON and Mandiant, and can be exploited by crafting a malicious ActiveX control to be used by a Microsoft Office 365 document that hosts MSHTML (aka Trident), the rendering engine used by IE and succeeded by EdgeHTML in the newer Edge browser. There is currently no available patch.

Because Office documents downloaded from the internet are opened in either Protected View or Application Guard, both of which mitigate the attack, successful exploitation must depend on convincing the target to open the malicious document, at which point the vulnerability will be triggered and a malicious file downloaded to the victim’s system.

Trend Micro researchers who have been tracking exploitation and obtained a number of document samples for analysis said that at present, CVE-2021-40444 is being used to deliver Cobalt Strike payloads – almost always a precursor to a wider cyber attack.

In an advisory blog, Trend’s team said: “We reiterate our long-standing advice to avoid opening files from unexpected sources, which could considerably lower the risk of this threat as it requires the user to actually open the malicious file.”

In a security notice, Microsoft said its Defender Antivirus and Defender for Endpoint products will also both be able to provide detection of, and protection against, CVE-2021-40444 as long as they are up to date. Those that manage updates should select detection build 1.349.22.0 or newer and deploy it as soon as possible. User scan also mitigates the threat by disabling installation of all ActiveX controls in IE.

In a statement, Microsoft said: “Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

Veritas CISO Payman Armin commented: “Cyber security is the ultimate cat-and-mouse game – software vendors patch one hole and the bad actors find another one to sneak through.

“Compounding the problem is that it takes time to develop security patches that install properly and don’t break anything. Microsoft is undoubtedly working feverishly to patch this new MSHTML vulnerability. In the meantime, organisations are left to rely on security software to prevent exploitation that, more often than we’d like to see, lets successful ransomware and other attacks against data integrity slip through its nets.

Read more about zero-days

“So, while security software is always a good first line of defence, including while waiting for patches, businesses have to operate under the assumption that it can be bypassed.

“In today’s security landscape, every organisation needs a backup plan – and that has to include comprehensive data protection to bounce back quickly when ransomware or other threats to data break through.”

Cybereason’s Sam Curry said it might appear to be open season on Microsoft zero-days right now, but given Microsoft’s status as among the most ubiquitous software companies in the world, this was hardly a surprise.

“If you’re an attacker and want victims, you go after the biggest footprint,” he said. “However, the answer isn’t to use more obscure software. Instead, the lesson was made clear with the SolarWinds and Hafnium attacks: deploy software, but realise that you are lending the vendor trust. Assume that even trusted vendors and software can be compromised.

“Therefore, get good at limiting damage, detecting when software is abused to do things it shouldn’t do, and get great at finding that and wrapping it up. Microsoft should by all means do all it can to reduce the incidence of these, but security should assume that any vendor can be compromised and be prepared for that eventuality.”

The emergence of CVE-2021-40444 is the second time in as many months that zero-days have been found in MSHTML. In its August 2021 Patch Tuesday drop, Microsoft fixed CVE-2021-34354, a critically rated flaw in MSHTML, which also enabled RCE on compromised systems. Successful exploitation of this bug requires a somewhat complex attack that, like -40444, requires the threat actor to interact with the user.

Read more on Hackers and cybercrime prevention