Hackers are attempting to exploit a remote code execution vulnerability in MSHTML affecting Windows by using specially crafted Office documents, but Microsoft has provided a way for organizations to mitigate the problem until it completes its investigation and potentially issues an update.
“MSHTML is a component used by myriad applications on Windows,” said Jake Williams, co-founder and CTO at BreachQuest. “If you’ve ever opened an application that seemingly ‘magically’ knows your proxy settings, that’s likely because it uses MSHTML under the hood.”
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft wrote about CVE 2021-40444 in an advisory. “The attacker would then have to convince the user to open the malicious document.”
Users whose accounts operate with administrative user rights would be most at risk as opposed to those whose accounts have fewer user rights on a system.
“Malicious Office docs are a go-to favorite for cybercriminals and hostile nation-states,” said John Bambenek, principal threat hunter at Netenrich. “This vulnerability allows more direct exploitation of a system than the usual tactic of tricking users into disabling security controls.”
In tandem with the Microsoft advisory, the Cybersecurity and Infrastructure Security Agency (CISA) issued its own alert urging organizations to implement the Microsoft mitigations and workarounds and confirming that exploitation of the vulnerability had been detected in the wild and could lead “a remote attacker to take control of an affected system.”
“The good news is that this vulnerability is client-side and requires user interaction. A patch is also available,” said Casey Ellis, founder and CTO at Bugcrowd. “Unfortunately, that’s the end of the good news.”
Ellis said while “exploit complexity appears quite low, the impact is very high, and its weaponized form is useful in many different attacks including the installation of ransomware.”
The consistent challenge with such client-side vulnerabilities, he said, “is that there are a lot of systems that need to be patched, which means they stay available for exploitation to attackers for quite some time.”
The tech giant noted that Microsoft Defender Antivirus and Microsoft Defender for Endpoint could both detect the vulnerability and protect against it. It urged users to keep their antimalware products up to date and said that those who use automatic updates won’t have to take additional action.
“Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments,” Microsoft wrote. “Microsoft Defender for Endpoint alerts will be displayed as: ‘Suspicious Cpl File Execution.’”
Among the steps Microsoft plans to take once it completes its probe is offering a security update through its monthly process (Patch Tuesday) or by providing an out-of-cycle security patch.
“As this is already being exploited, immediate patching should be done,” said Bambenek. “However, this is a stark reminder that in 2021, we still can’t send documents from point A to point B securely.”
For now, Microsoft has provided workarounds. “Disabling the installation of all ActiveX controls in Internet Explorer mitigates this attack,” the company said, adding that can be done for all sites through a registry update. “Previously installed ActiveX controls will continue to run, but do not expose this vulnerability.”
That workaround came with a caveat, though. “If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system,” the company said. “Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.”
While details about the vulnerability are scarce, Williams said, “the impact is likely to extend beyond MS Office.”
That’s because “vulnerabilities like these tend to have extremely long lifetimes for exploitation in the wild,” Williams said, “Highlighting the need for security monitoring and periodic threat hunting.”