Microsoft warns of a zero-day vulnerability in Internet Explorer that is actively exploited by threat actors using weaponized Office docs.
Microsoft warns of a zero-day vulnerability (CVE-2021-40444) in Internet Explorer that is actively exploited by threat actors to hijack vulnerable Windows systems. Microsoft did not share info about the attacks either the nature of the threat actors.
The vulnerability was exploited by threat actors in malspam attacks spreading weaponized Office docs.
The remote code execution vulnerability in MSHTML affects Microsoft Windows, the issue received a CVSS score of 8.8.
MSHTML is the main HTML component of the Windows Internet Explorer browser, it is also used in other applications.
“Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.” reads the advisory published by Microsoft.”An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
The vulnerability was reported by Mandiant researchers Bryce Abdo, Dhanesh Kizhakkinan and Genwei Jiang, and Haifei Li from EXPMON
EXPMON researchers defined the attack exploiting the CVE-2021-40444 flaw as a highly sophisticated zero-day attack against Microsoft Office users.
💥💥⚡️⚡️
EXPMON system detected a highly sophisticated #ZERO-DAY ATTACK ITW targeting #Microsoft #Office users! At this moment, since there's no patch, we strongly recommend that Office users be extremely cautious about Office files – DO NOT OPEN if not fully trust the source!— EXPMON (@EXPMON_) September 7, 2021
Our system detects the Microsoft #CVE-2021-40444 #zero-day attack like this. We output the keyword "zero-day" if we think a sample is an unpatched zero-day exploit.
(had to redact some info for now, as we don't want to help other malicious actors)#0day #exploit #apt #office pic.twitter.com/RMniCTTols
— EXPMON (@EXPMON_) September 7, 2021
Other research teams already reproduced the exploit, such as the RedDrip Team.
Maybe it is the latest #CVE-2021-40444 attack sample, which only requires one click to run.
And our researchers have reproduced the exploit. pic.twitter.com/1Y5WGb7XU5
— RedDrip Team (@RedDrip7) September 8, 2021
Waiting for security updates from Microsoft, the company urges customers to disable all ActiveX controls in Internet Explorer to mitigate any potential attack.
Below is the mitigation published by Microsoft:
“Disabling the installation of all ActiveX controls in Internet Explorer mitigates this attack. This can be accomplished for all sites by updating the registry. Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To disable ActiveX controls on an individual system:
- To disable installing ActiveX controls in Internet Explorer in all zones, paste the following into a text file and save it with the .reg file extension:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
“1001”=dword:00000003
“1004”=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
“1001”=dword:00000003
“1004”=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
“1001”=dword:00000003
“1004”=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
“1001”=dword:00000003
“1004”=dword:00000003
- Double-click the .reg file to apply it to your Policy hive.
- Reboot the system to ensure the new configuration is applied.”
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine