Microsoft, CISA urge use of mitigations and workarounds for Office document vulnerability
Microsoft said it had identified a limited number of attacks targeting a remote code execution vulnerability in MSHTML that affects Microsoft Windows.
CISA released its own message urging "users and organizations to review Microsoft's mitigations and workarounds to address CVE-2021-40444, a remote code execution vulnerability in Microsoft Windows."
Microsoft said the vulnerability was first discovered by Rick Cole of the Microsoft Security Response Center, Haifei Li of EXPMON, as well as Dhanesh Kizhakkinan, Bryce Abdo and Genwei Jiang of Mandiant.
"Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine," Microsoft explained.
"The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
The Microsoft release notes that their Defender Antivirus and Defender for Endpoint protect against the vulnerability. Anyone who has the tools and uses automatic updates is safe from the vulnerability. At the same time, they noted that enterprise customers who manage updates "should select the detection build 1.349.22.0 or newer and deploy it across their environments."
The alerts in Microsoft Defender will show up as "Suspicious Cpl File Execution."
Microsoft said once its investigation is finished, they will send out a security update in a Patch Tuesday release or in a separate out-of-cycle security update.
The release adds that Microsoft Office opens documents from the internet in Protected View or Application Guard for Office by default, both of which prevent the current attack.
In terms of mitigations and workarounds, Microsoft suggested disabling the installation of all ActiveX controls in Internet Explorer.
"This can be accomplished for all sites by updating the registry. Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability," the release said. "If you misuse Registry Editor, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from misusing Registry Editor."
The notice also provides specific instructions on how to disable ActiveX controls on an individual system.
John Bambenek, the principal threat hunter at Netenrich, said malicious office docs are a go-to favorite for cybercriminals and hostile nation-states.
"This vulnerability allows more direct exploitation of a system than the usual tricking users to disable security controls. As this is already being exploited, immediate patching should be done. However, this is a stark reminder that in 2021, we still can't send documents from point A to point B securely," he said.
BreachQuest CTO Jake Williams added that MSHTML is a component used by myriad applications on Windows, noting that if you've ever opened an application that seemingly "magically" knows your proxy settings, that's likely because it uses MSHTML under the hood.
"While there are currently few details available about the vulnerability, the impact is likely to extend beyond MS Office. Vulnerabilities like these tend to have extremely long lifetimes for exploitation in the wild, highlighting the need for security monitoring and periodic threat hunting," Williams explained.
According to Bugcrowd CTO Casey Ellis, the good news is that this vulnerability is client-side and requires user interaction. Ellis told ZDNet that the exploit complexity appears quite low, the impact is very high, and its weaponized form is useful in many different attacks, including the installation of ransomware.
"The consistent challenge with client-side vulnerabilities like this one is that there are a *lot* of systems that need to be patched, which means they stay available for exploitation to attackers for quite some time," Ellis said.