With no patch yet available for the recently disclosed zero day in the Windows MSHTML engine, attackers are continuing to take advantage of the bug in targeted attacks, while researchers have discovered that the recommended mitigation doesn’t protect against all types of attacks.
Microsoft released an advisory detailing the vulnerability (CVE-2021-40444) on Tuesday and warned that exploitation had already been detected. The vulnerability lies in the MSHTML engine and it affects all modern versions of Windows. The most likely exploitation vector is with a malicious Office document delivered via email, but there are other scenarios, as well.
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” the Microsoft advisory says.
Researcher Rich Warren of NCC Group also developed a technique for exploiting the bug using a rich-text format file in Windows Explorer.
“This indicates it can be exploited even without opening the file and this invalidates Microsoft’s workaround mitigation,” said John Hammond of Huntress in an analysis of the activity.
“For Office files, no traditional VBA macros are needed for this attack. Any URL beginning with mshtml:http will download a file passed to the MSHTML parser engine, and potentially any way an Office document can call out to a URL can be used to exploit CVE-2021-40444.”
And, though the original exploit activity can be traced back as far as August, the exploits had remained private until Friday, when some proof-of-concept exploits began circulating on forums. Some offensive security researchers have begun sharing their own exploits, as well. Microsoft has not said when it plans to release a patch for the vulnerability, but the company’s next scheduled Patch Tuesday release is Sept. 14.
Microsoft’s main workaround suggestion has been to disable all ActiveX controls in Internet Explorer, but researchers have demonstrated that exploitation does not necessarily rely on ActiveX.