Attackers are exploiting zero-day RCE flaw to target Windows users (CVE-2021-40444)

Attackers are exploiting CVE-2021-40444, a zero-day remote code execution vulnerability in MSHTML (the main HTML component of the Internet Explorer browser), to compromise Windows/Office users in “a limited number of targeted attacks,” Microsoft has warned on Tuesday.


About CVE-2021-40444 and the attacks

CVE-2021-40444 is a set of logical flaws that can be leveraged by remote, unauthenticated attackers to execute code on the target system.

The current attacks were detected by Microsoft, Mandiant, and Expmon researchers. The latter say that they’ve reliably reproduced the attack on Windows 10:

The attackers are flinging specially-crafted Microsoft Office documents at targets.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document,” Microsoft explained.

The company also noted that “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” and that Microsoft Office opens documents from the internet in Protected View or Application Guard for Office by default, and that this prevents the current attacks.

Unfortunately, users are often tricked into opening documents from untrusted sources and to exit the Protected View.

Until a patch is released, Microsoft has advised admins to disable ActiveX in Internet Explorer to mitigate the risk (instructions on how to do it are included in the security advisory).

“At this point, it should be pretty low impact to disable ActiveX, but of course, there may be individual enterprise applications that still use ActiveX,” noted Dr. Johannes Ullrich, Dean of Research at the SANS Technology Institute.

Don't miss