Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444) – Sep 11, 2021

Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444) – Sep 11, 2021

Microsoft has published information regarding a zero-day remote code execution vulnerability that exploits MSHTML via a crafted ActiveX control. A successful exploit of MSHTML in this instance raises process privileges allowing it to covertly download malware to the compromised endpoint.

There are no patches available at this time from Microsoft, but mitigation of the vulnerability is possible by closing the vectors of attack by: 1) Disabling ActiveX; and 2) Increasing organizational vigilance for Social Engineering attacks.

1) Until a patch is available, it is recommended that ActiveX be disabled via Group Policy if possible. To disable ActiveX via Group Policy, complete the following:

In Group Policy settings, navigate to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page

For each zone, complete the following:

• Select the zone (Internet Zone, Intranet Zone, Local Machine Zone, or Trusted Sites Zone).
• Double-click Download signed ActiveX controls and Enable the policy. Then set the option in the policy to Disable.
• Double-click Download unsigned ActiveX controls and Enable the policy. Then set the option in the policy to Disable.

2) The initial vector for this vulnerability also hinges on a user likely opening a suspicious Office file containing the crafted ActiveX control. An increased vigilance for social engineering attacks via Microsoft Office products (primarily Word docs sent via email) can therefore further mitigate this vulnerability. This may include redistributing educational materials reiterating the signs of suspicious emails and attachments. These materials may include the following points:

• Beware of emails sent from unknown senders or senders outside the organization (particularly if there is no business case or other context for the communication).
• Beware of emails containing multiple spelling and grammatical errors, or having an overall ‘unprofessional’ ethos.
• Beware of emails that attempt to elicit a sense of urgency to either divulge information or action on a link or attachment.

Microsoft has yet to reveal the complete details, but we do know that the vector of attack is via a crafted ActiveX control. When accessed (likely by opening a suspicious Word document or another Office file), the MSHTML process privilege is escalated equal to that of the active user. If the user is an administrator or possesses sufficient rights, this will grant the MSHTML process sufficient privilege to request the download of malware to the endpoint.

The attacker’s objective in this instance is to initiate compromise and gain a foothold on the network.

Lastly, to those who are leveraging our 24/7 Healthcare Security Operations Center (SOC) / SIEM, your network is being monitored and we will provide regular updates. To those who are not – please feel free to reach out to raheel.qureshi@isecurityconuslting.com or kees.pouw@isecurityconsulting.com and we will add you to our distribution list.

We will also provide updates to organizations we are servicing through our Incident Response Retainer.

Do not panic but stay safe and protected. We can always connect with you 1-on-1 to provide better guidance on how to gain better visibility into your controls, network, dark web, privileged user access protection and active threat hunting. The landscape around ransomware has evolved as the Healthcare sector is willing to pay ransom and malicious threat actors are now stronger than ever.

Please go ahead and share this with your peers.

For any other questions or concerns, please feel free to reach out to info@isecurityconsulting.com.

Best Regards,

The iSecurity Team