No patch is currently available, but an official mitigation has been released.
Microsoft has released an advisory for a new Remote Code Execution (RCE) vulnerability impacting Windows.
There is currently no patch, and there are observed exploit attempts in the wild. Though the Proof of Concept requires authenticated interaction on the victim’s machine, the attack vector is well suited for phishing attacks.
The Microsoft advisory features a mitigation.
The Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444) appears to impact all versions of Windows, with no patch available.
An attacker can craft a malicious ActiveX control in an Office document that hosts the browser rendering engine, then trick the victim into open the malicious document, allowing for further exploitation. The attacker can execute arbitrary commands with this attack, though the attack surface may be limited if the user is not an administrator.
Microsoft’s official mitigation is applying a registry script, disabling the installation of ActiveX controls on a system.
- Apply the official mitigation provided by Microsoft. This will disable installing ActiveX controls in Internet Explorer across all zones.
- Utilize Antivirus or EDR (Endpoint Detection and Response) tools on Windows Machines with updated signatures. Microsoft Defender Antivirus and Microsoft Defender for Endpoint feature signatures to detect this activity (Defender for Endpoint Signature: Suspicious Cpl File Execution)
- As a general best practice, keep your system up to date. Microsoft is developing a long term patch for this vulnerability and will publish updates to their advisory (linked below.)
- Utilize Vulnerability Management solutions with updated signatures to proactively detect vulnerable systems within your environment.
- Provide regular security training to employees to prevent them from being exploited by phishing and social engineering attacks.
Official Microsoft advisory: