OPSWAT Launches MetaDefender Cloud Email Security. Read More

Microsoft Reports Zero-Day CVE-2021-40444, and What You Can Do

Microsoft confirmed on September 7, 2021, that a remote code execution (RCE) vulnerability had occurred in Windows 10. The vulnerability, classified as CVE-2021-40444 [1], can enable cybercriminals to gain remote control of a compromised system and create zero-day attacks in the wild.

The defect lies in MSHTML, a browser rendering engine in Internet Explorer. The engine is also used in Microsoft Office documents. The CVE-2021-40444 is currently known to be used to deliver Cobalt Strike payloads—a commonly exploited threat emulation framework.

A researcher at EXPMON identified this zero-day for the first time in a tweet, saying “Office users be extremely cautious about Office files.” They have reported the incident to Microsoft on Sunday, September 5. Microsoft also released a Security Advisory soon thereafter, suggesting workarounds while the company investigates. On September 14, Microsoft has fixed the vulnerability [2].

How Attackers Exploit CVE-2021-40444

Cybercriminals may craft a malicious ActiveX control inside of a Microsoft Office document (.docx). This document acts as the host for the MSTHML browser rendering engine and an OLEObject that directs to a constructed webpage.

OLEObject in Microsoft Word file
Figure 1: OLEObject in Microsoft Word file


The attacker would then have to deceive their target to open this document. Upon opening, the MSTHML engine will employ the ActiveX control to run an HTML file with obfuscated scripts, followed by the download of malware payloads or remote access controls.

MSHTML is triggered to run an HTML file with obfuscated script
Figure 2: MSHTML is triggered to run an HTML file with obfuscated script


Microsoft noted that users with administrator rights are more susceptible to such attacks than those without or with fewer user rights.

Mitigation and Workaround

Microsoft advised that disabling all ActiveX control installations in Internet Explorer can help mitigate the current attacks. This can be done by configuring the Group Policy by updating the registry of using the Local Group Policy Editor.  After disablement, the new ActiveX controls will not be installed, and the previous ActiveX controls will continue to run.

How Deep CDR Can Protect Against Zero-Day Attacks

Content Disarm and Reconstruction (CDR) can aid in mitigating the risks associated with this vulnerability. OPSWAT Deep CDR assumes all files are malicious, then sanitizes and rebuilds the file components to ensure full usability with safe content. The technology can effectively ‘disarms’ all file-based threats, complex and sandbox-aware threats, and threats equipped with malware evasion technology such as fully undetectable malware or obfuscation.

In this case, the Deep CDR technology removes all potential threat objects like the OLEObject and ActiveX from the document file. After sanitization, the document no longer contains the malicious HTML link.

Deep CDR removes potential threat objects
Figure 3: Deep CDR removes potential threat objects


Threats detected by MetaDefender Cloud have been scanned, and the results support sanitization actions:

Threats detected by MetaDefender Cloud
Figure 4: Threats detected by MetaDefender Cloud


After sanitization, the results show that the OLEObject has been removed and the file is safe to open:

Sanitized file status in MetaDefender Cloud
Figure 5: Sanitized file status in MetaDefender Cloud

About OPSWAT Deep CDR

OPSWAT Deep CDR technology is a market leader with superior features like multi-level archive processing, the accuracy of file regeneration, and support for 100+ file types. Our technology provides in-depth views of what is being sanitized and how data are sanitized, allowing you to make informed choices and define configurations to meet your use cases. The result? Safe files with 100% of threats eliminated within milliseconds, so your workflow is not interrupted.

To learn more about Deep CDR and how OPSWAT can protect your organization, talk to one of our critical infrastructure cybersecurity experts.

References

[1] “Microsoft MSHTML Remote Code Execution Vulnerability”. 2021. Microsoft Security Response Center. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

[2] “Microsoft patches actively exploited MSHTML zero-day RCE (CVE-2021-40444)”. September 14, 2021. Help Net Security. https://www.helpnetsecurity.com/2021/09/14/cve-2021-40444-fix/

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.