Vulnerability Management – Exploitation of Zero-day Vulnerability in Microsoft MSHTML Leveraging Office Documents

Author: Jennifer Walker

Created: Thursday, September 9, 2021 - 16:39

Categories: Cybersecurity

Attention: Given widespread use of Microsoft Windows and Office applications that potentially use this component, system administrators are encouraged to review available advisories for CVE-2021-40444 and address accordingly for impacted systems within their environment. CISA has posted a current activity report, Microsoft Releases Mitigations and Workarounds for CVE-2021-40444.

What is the bug? A critical remote code execution (RCE) vulnerability within Microsoft MSHTML affecting Windows Server 2008 through 2019 and Windows 8.1 through 10. This vulnerability is tracked as CVE-2021-40444. While MSHTML is most notably used in the now unsupported Internet Explorer, it is also used to render web-hosted content inside Office applications. An attacker could use a malicious ActiveX control to display web content within applications such as Word, Power Point, or Excel.

Why is it important? Due to widespread use of Microsoft Windows and the vulnerability existing in most currently supported systems (Windows Server 2008 through 2019 and Windows 8.1 through 10).

Is there a patch? No. Microsoft is expected to include a fix in next week’s “Patch Tuesday.” This vulnerability is currently considered a “zero-day,” meaning there is no patch available.

Are there other mitigations or workarounds available until a patch is released? Yes, but sysadmins are encouraged to review mitigations and workarounds closely for potential caveats that may limit effectiveness within your environment.

Is this being actively exploited? Yes. Microsoft states they are aware of active exploitation from malicious threat actors. Likewise, multiple researchers are observing current activity attempting to leverage this vulnerability.

Additional Resources: