So far the details are sparse, but Microsoft warns Office users about a bug that has been christened CVE-2021-40444, and described as Microsoft MSHTML Remote Code Execution Vulnerability.
The bug doesn’t have a patch yet, so it’s what’s known as a zero-day abbreviation for “good guys had a zero-day advantage over bad guys with a patch for that vulnerability.”
In other words: the thieves got there first.
From what we can tell, betrayal works like this:
- Open an Office file trapped by breasts from the Internet, either by attaching an email attachment or by downloading a document from a criminal-controlled web link.
- The document includes an ActiveX control (embedded add-on code) that you should not have unrestricted access to your computer.
- ActiveX code activates the Windows MSHTML component, which is used to view web pages, exploits an error to give you the same level of control you would have from the Windows desktop, and uses it to deploy malicious software of the attacker’s choice .
MSHTML is not a complete browser, like Internet Explorer or Edge, but is part of the operating system that can be used to create browsers or applications similar to browsers that need or want to display HTML files.
Although HTML is more closely associated with web browsing, many non-browser applications find it useful to be able to represent and display web content, for example as a convenient and attractive way to present documentation and help files. or allow users to fill out and submit attendance tickets.
This concept of “naked minibrowser” can be found not only on Windows, but also on Apple’s Android and iOS from Google, where the Blink and WebKit components, respectively, offer the same type of functionality as MSHTML on Microsoft platforms. Mozilla products like Firefox and Thunderbird are based on a similar idea, known as Gecko. Interestingly, in iOS, Apple not only uses WebKit as the core of its own browser, Safari, but also forces you to use WebKit in browsers or browser-like apps from other providers. That’s why Firefox on iOS is the only version of this product that doesn’t include Gecko – it has no choice but to use WebKit.
HTML is not just for browsing
This means that HTML rendering errors not only affect your browser and browsing activity, so there can be many different ways to simply send you a dishonored web link for cybercriminals to insert a virtual stick into the code. web rendering buggy. therefore, probing farms.
Even if there is an error that you can’t control closely enough to take over the browser of your choice, you may be able to find other applications where the vulnerability can not only be used to block the application, but also to exploit it to take control and implement malicious software.
This is what CVE-2021-40444 seems to do, as the attack is delivered using Office files uploaded to Word, Excel, etc., instead of using web pages displayed directly in the browser.
What to do?
- Avoid opening documents you didn’t expect. Don’t be tempted to look at the content just because an email or document matches your interests, your line of work, or your current research. This does not show that the sender really knows you, nor that you can be trusted in any way; the information is likely to be publicly available through your work website or your own social media posts.
- Don’t be tempted to step out of the protected view of Office. By default, Office documents received over the Internet (either by email or the web) are opened in a way that prevents active content such as Visual Basic macros and ActiveX controls from running. If you see a yellow bar at the top of the page, which warns you that no potentially dangerous parts of the document have been activated, do not click
[Enable Editing]button, especially if the text of the same document “advises” you! - Consider applying Permanently Protected View to all external content. System administrators can enforce network-wide settings that prevent any users from using them
[Enable Editing]option to escape the protected view in Office. Ideally, you should never rely on so-called active content in external documents and avoid a wide range of attacks if you prevent this from happening at all. - Disable ActiveX controls that use the MSHTML web renderer. Sysadmins can apply this with a network-wide logging parameter that prevents ActiveX controls arriving on new documents from working, regardless of whether or not the document opens in protected view. This solution specifically prevents the CVE-2021-40444 vulnerability from being exploited.
- Keep your eyes peeled for a Microsoft patch. Next Tuesday (14-09-2021) is the Tuesday date of the September 2021 Patch; we hope Microsoft has a complete solution ready sooner or later.