Skip to content

Search the site

New Windows MSHTML 0day being abused in the wild

Security teams should mitigate urgently.

Updated September 9, 2021 with IOCs from Trend Micro, Yara rules from NCC Group's Rich Warren.

Microsoft has issued an urgent pre-patch advisory for a new Windows MSHTML exploit -- warning it is seeing "targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents" in the twentieth zero day to hit Microsoft so far this year. Abuse of the "reliable and dangerous" exploit is likely to widen as security researchers reverse engineer the patch. Mitigation details are here.

The remote code execution (RCE) vulnerability -- allocated CVE-2021-40444, with a CVSS score of 8.8 -- was reported by five security researchers from three separate organisations over the weekend; three of them from IR specialist Mandiant. It targets an exploitable bug in MSHTML -- a browsing engine built into Office.

"We have reproduced the attack on the latest Office 2019 / Office 365 on Windows 10 (typical user environment), for all affected versions please read the Microsoft Security Advisory. The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous)" one of the reporting security researchers from EXPMON noted, saying they informed Microsoft about the bug on Sunday (September 5, 2021).

"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights" Microsoft said in its September 7 guidance.

See also: 7 free cybersecurity tools to know and use, from Infection Monkey to Chainsaw, Bloodhound to policy-bot

Once opened, the document will load the Internet Explorer engine to render a remote web page from the threat actor. Malware is then downloaded by using a specific ActiveX control in the web page. Executing the threat is done using a trick called Cpl File Execution referenced in Microsoft’s advisory, Cert-EU noted. Windows 7, 8.1 and 10, Windows Server 2008, 2016, 2019, 2022 and Windows Server Core versions are all affected.

"Now is a great time to remind defenders that they need to focus on comprehensive post-exploitation mitigation and detection. Now is also a great time for security testers and researchers to not be the first to release an exploit, especially pre-patch. It won’t help defenders" noted Mandiant's Andrew Thompson on Twitter.

(There's typically a race among offensive security folks to reverse engineer the patch and release a proof-of-concept of the attacks -- resulting in wider exploitation. The NSA, CISA and FBI on July 19, 2021 warned starkly that APT threat groups typically now exploit public security vulnerabilities “within days of their public disclosure”).

A stop-gap workaround involves disabling the installation of all ActiveX controls in Internet Explorer: "This can be accomplished for all sites by updating the registry. Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability" Microsoft added in its update.

Trend Micro said it has obtained multiple samples of documents that exploit this vulnerability -- with the initial payload typically thus far being a Cobalt Strike beacon. Indicators of Compromise for the Windows MSHTML exploit as identified by the security firm thus far can be found here. NCC Group's Rich Warren meanwhile has shared some Yara rules (a way of identifying malware or other files) for detection here. There are seven malware samples associated with the CVE on MalwareBazaar meanwhile.

See also -- Revealed: Over 50 TTPs of Chinese state-backed hackers APT 40