CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
AI Score
Confidence
Low
EPSS
Percentile
99.8%
Both Microsoft and federal cybersecurity officials are urging organizations to use mitigations to combat a zero-day remote control execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents.
Microsoft has not revealed much about the MSHTML bug, tracked as CVE-2021-40444, beyond that it is  âaware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,â according to an advisory released Tuesday.
However, itâs serious enough that the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory of its own alerting users and administrators to the vulnerability and recommending that they use the mitigations and workarounds Microsoft recommends.
Though Microsoft is still investigating the vulnerability, it could prove to go beyond affecting just Microsoft Office documents due to the ubiquitous use of MSHTML on Windows, warned Jake Williams, co-founder and CTO at incident response firm BreachQuest.
âIf youâve ever opened an application that seemingly âmagicallyâ knows your proxy settings, thatâs likely because it uses MSHTML under the hood,â he said in an e-mail to Threatpost. âVulnerabilities like these tend to have extremely long lifetimes for exploitation in the wild.â
Even if the vulnerabilityâs reach does not go beyond Office documents, its presence and the fact that attackers are already trying to exploit are worrisome enough for organizations to take immediate action, noted another security professional.
Malicious Office documents are a popular tactic with cybercriminals and state-sponsored threat actors, and the vulnerability give them âmore direct exploitation of a system and the usual tricking users to disable security controls,â observed John Bambenek, principal threat hunter at digital IT and security operations firm Netenrich.
âAs this is already being exploited, immediate patching should be done,â he advised. âHowever, this is a stark reminder that in 2021, we still canât send documents from point A to point B securely.â
Microsoft has offered some advice for organizations affected by the vulnerabilityâfirst discovered by Rick Cole of the Microsoft Security Response Center, Haifei Li of EXPMON, and Dhanesh Kizhakkinan, Bryce Abdo and Genwei Jiang of Mandiantâuntil it can offer its own security update. That may come in the form of a Patch Tuesday fix or an out-of-band patch, depending on what researchers discover, the company said.
Until then, customers should keep anti-malware products up to date, though those who use automatic updates donât need to take action now, Microsoft said. For enterprise customers who manage updates, they should select the detection build 1.349.22.0 or newer and deploy it across their environments, the company added.
Workarounds for the flaw include disabling the installation of all ActiveX controls in Internet Explorer, which mitigates a potential attack, according to Microsoft.
âThis can be accomplished for all sites by updating the registry,â the company said in its advisory. âPreviously-installed ActiveX controls will continue to run, but do not expose this vulnerability.â
However, Microsoft warned organizations to take care when using the Registry Editor, because doing so incorrectly can âcause serious problems that may require you to reinstall your operating system.â âUse Registry Editor at your own risk,â the company advised.
Itâs time to evolve threat hunting into a pursuit of adversaries.JOINThreatpost and Cybersixgill forThreat Hunting to Catch Adversaries, Not Just Stop Attacksand get a guided tour of the dark web and learn how to track threat actors before their next attack.REGISTER NOWfor the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgillâs Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.
breachquest.com/
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444
netenrich.com/
threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar
threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar
threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar
us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
AI Score
Confidence
Low
EPSS
Percentile
99.8%