Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444)

On 7 Sep, Microsoft has reported a vulnerability has recently been reported affecting various versions of Windows and Windows Servers by using specially-crafted Microsoft Office documents.

Background

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft has released https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 to track the information.

Severity Level

Critical

Affected OS

Windows versions: 8.1 – 10
Windows Server versions: 2008, 2012, 2016, 2019

Current Protection

On 14 September 2021, Microsoft released security updates to address this vulnerability. Please install these updates immediately.
Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability.
Kaspersky recommends to enable KSN “Kaspersky Security Network” and “Exploit Prevention” for protection. Now it can also detect these threats based on this vulnerability:
- HEUR:Trojan.MSOffice.Agent.gen
- HEUR:Exploit.MSOffice.CVE-2021-40444.a
- PDM:Exploit.Win32.Generic
Palo Alto Firewall can now detect some threats (ID 91602, 91603 and 91605) based on this vulnerability.

Recommendations

Do not open suspicious document. By default Microsoft Office will open documents from the internet in Protected View mode. The attacker will try to convince the user to disable the protection by pretending to be from a trusted source. Please verify with the source before doing so.
Disabling the installation of all ActiveX controls in Internet Explorer as described in the Microsoft document.
As always, users should use account with Standard User Right for their daily works. This will significantly reduce secure risk.

Reference

Microsoft Security Update Guide (CVE-2021-40444):
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
HKCERT Bulletin:
https://www.hkcert.org/security-bulletin/microsoft-windows-remote-code-execution-vulnerability_20210908

Enquiry

ITSC Service Desk: http://servicedesk.itsc.cuhk.edu.hk (Get Help > Desktop Support and Management)

Published on: 9 Sep 2021

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.