Overview
Microsoft is investigating reports of a remote code execution (RCE) vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.
Microsoft aim to release a security update as part of their monthly release process or providing an out-of-cycle security update, depending on customer needs.
The vulnerability is listed as CVE-2021-40444 (Microsoft MSHTML Remote Code Execution Vulnerability):
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444
Detail
The vulnerability information details that a malicious ActiveX control could be crafted to be used by a Microsoft Office document that hosts the browser rendering engine (Internet Explorer). The document then requires user input to open the file to trigger the malicious code.
By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack, but could be subverted if the attacker is able to convince the victim to bypass any mitigations.
Up to date anti-virus software should also provide detection and protections for the
vulnerability.
Recommended Action
Ensure your organisation has Protected View or Application Guard enabled. This
serves as a mitigation, not only for this vulnerability but a wide range of threats.
Ensure your organisation’s anti-virus and security solutions are running and up to
date.
Raise employee awareness of cyber threats on a regular basis, such as reminding
them never to open documents from untrusted sources, or to enable editing and
macros unless deemed safe and absolutely necessary.
A workaround to disable the installation of all ActiveX controls in Internet Explorer
also mitigates this attack. Details on how to do this can be found here:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.