Microsoft MSHTML Remote Code Execution Vulnerability Exploited in the Wild (CVE-2021-40444)

Description

Update as of September 14th: Microsoft has officially released patches for affected products. Please refer to the APPENDIX section to "Microsoft MSHTML Remote Code Execution Vulnerability" for links to the patches in the "Security Update Section".

Update as of September 13th: Updated Status of Coverage with additional AV detection.

Update as of September 8th: Updated Status of Coverage with AV, IPS, Webfiltering, EDR information.


FortiGuard Labs is aware of a newly discovered vulnerability in Microsoft Windows. Assigned CVE-2021-40444, and disclosed by Microsoft today, this vulnerability is a remote code execution vulnerability in Microsoft MSHTML affecting multiple Microsoft Windows platforms. MSHTML, also referred to as Trident, is the Microsoft legacy browser engine for Internet Explorer, specific to Microsoft Windows platforms. Microsoft has observed in the wild attacks leveraging this vulnerability where attackers are creating maliciously crafted Microsoft Office documents that try to compel an unsuspecting victim into opening them.


What are the Technical Details of the Vulnerability?

According to Microsoft, an attacker can create a malicious ActiveX control that can be utilized by a Microsoft Office document that hosts the browser rendering engine. In order for an attacker to successfully leverage this vulnerability, the target must be socially engineered to open the maliciously crafted Office file.


Is this Being Exploited in the Wild?

Yes. According to Microsoft, this is limited to targeted attacks.


What is the CVSS score?

8.8 (HIGH)


Is there a Patch Available?

No. Microsoft states that there is no patch available at this time.


What Versions of Windows are Affected?

Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows RT 8.1

Windows 8.1 for x64-based systems

Windows 8.1 for 32-bit systems

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 for 32-bit Systems

Windows Server, version 20H2 (Server Core Installation)

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for x64-based Systems

Windows Server, version 2004 (Server Core installation)

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows Server 2022 (Server Core installation)

Windows Server 2022

Windows 10 Version 21H1 for 32-bit Systems

Windows 10 Version 21H1 for ARM64-based Systems

Windows 10 Version 21H1 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems


Any Mitigation and or Workarounds?

Disabling all ActiveX controls in Microsoft Internet Explorer will mitigate this issue. This can be done by editing the registry which should be done carefully as incorrectly editing the registry can cause severe operating system issues. For specific details on how to perform these edits, please refer to the Workaround section in the Microsoft MSHTML Remote Code Execution Vulnerability link within the APPENDIX section.


What is the Status of Coverage? (Last updated on September 13th)

FortiGuard Labs have the following AV coverage against the files associated with the attack:

  • JS/Agent.NKE!tr (definitions version 88.00961)
  • MSOFFICE/Agent.DHY!tr (definitions version 88.00961)
  • W64/Agent.ASO!tr (definitions version 88.00798)
  • MSOffice/Agent.D455!tr.dldr (definitions version 88.09650)
  • MSOffice/Agent.CNG!tr.dldr (definitions version 88.09740)
  • JS/Agent.NKE!tr (definitions version 88.09620)
  • JS/CVE_2021_40444.181B!exploit
  • HTML/CVE202140444.06F3!tr
All known network IOC's are blocked by the WebFiltering client.

For FortiEDR, all known samples have been added to our cloud intelligence and will be blocked if executed.

For IPS protection, FortiGuard Labs has IPS coverage in place for this vulnerability as: MS.Office.MSHTML.Remote.Code.Execution

FortiGuard Content, Disarm, and Reconstruction (CDR) can protect users from this attack by enabling the following option:

Enable/disable stripping of linked objects in Microsoft Office documents.

Telemetry