By security practitioners, for security practitioners innovate | novacoast federal | novaSOC | novacoast
By security practitioners, for security practitioners

Attackers Exploit Microsoft Windows Remote Code Execution Vulnerability In The Wild

No patch is currently available, but an official mitigation has been released.

Background

Microsoft has released an advisory for a new Remote Code Execution (RCE) vulnerability impacting Windows.

There is currently no patch, and there are observed exploit attempts in the wild. Though the Proof of Concept requires authenticated interaction on the victim’s machine, the attack vector is well suited for phishing attacks.

The Microsoft advisory features a mitigation.

Vulnerability details 

The Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444) appears to impact all versions of Windows, with no patch available.
 
An attacker can craft a malicious ActiveX control in an Office document that hosts the browser rendering engine, then trick the victim into open the malicious document, allowing for further exploitation. The attacker can execute arbitrary commands with this attack, though the attack surface may be limited if the user is not an administrator.
 
Microsoft’s official mitigation is applying a registry script, disabling the installation of ActiveX controls on a system.

Mitigation guidance

  • Apply the official mitigation provided by Microsoft. This will disable installing ActiveX controls in Internet Explorer across all zones.
     
  • Utilize Antivirus or EDR (Endpoint Detection and Response) tools on Windows Machines with updated signatures. Microsoft Defender Antivirus and Microsoft Defender for Endpoint feature signatures to detect this activity (Defender for Endpoint Signature: Suspicious Cpl File Execution)
     
  • As a general best practice, keep your system up to date. Microsoft is developing a long term patch for this vulnerability and will publish updates to their advisory (linked below.)
     
  • Utilize Vulnerability Management solutions with updated signatures to proactively detect vulnerable systems within your environment.
     
  • Provide regular security training to employees to prevent them from being exploited by phishing and social engineering attacks.

Resources

Official Microsoft advisory:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

Krebs article:
https://krebsonsecurity.com/tag/cve-2021-40444/

CISA advisory:
https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444

Previous Post

Palo Alto Patches a Series of Vulnerabilities Impacting PAN-OS and Cortex XSOAR Platforms

Next Post

FORCEDENTRY zero-click exploit used on Apple iOS, MacOS, and WatchOS devices

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.