On 7 September 2021, Microsoft published details regarding a campaign leveraging an unpatched vulnerability in MSHTML that affects Microsoft Office users across multiple versions of Microsoft Windows. Users who don’t leverage Protected View or Application Guard are recommended to temporarily apply Microsoft’s mitigation advice.
- The flaw, tracked as CVE-2021-40444, impacts Microsoft MSHTML in Windows Server 2008 through 2019 and Windows 8.1 through 10. It received a CVSS:3.0 score of 8.8 out of 10. Although MSHTML browser engine was used primarily by Internet Explorer, it also renders web-hosted content in Office applications.
- Threat actors are taking advantage of the vulnerability by sending specially-crafted Microsoft Office documents to potential victims. A crafted ActiveX control can be used maliciously by a Microsoft Office document that hosts MSHTML. A user would have to open the malicious document for an attack to be successful.
- Users with default Microsoft Office have Protected View or Application Guard for Office enabled to open documents from the internet. This would prevent untrusted files from accessing trusted resources on the system. Systems with the latest Defender Antivirus and Defender for Endpoint enabled appear to be protected from the execution of this flaw.
- For the affected systems, Microsoft recommends disabling the installation of all ActiveX controls in Internet Explorer and applications that embed the browser. Microsoft is likely to release an update in the coming days.
- Follow Microsoft’s guidance to determine if your systems are affected.
- When applicable, we recommend applying mitigation measures provided by Microsoft and monitoring for updates to be released in the coming days.
- As Microsoft recommends disabling the installation of ActiveX controls by updating the registry, we recommend exercising caution when using a Registry Editor.