|Vulnerability Class||Remote Code Execution|
- Microsoft Mandiant, and Expmon researchers have detected a vulnerability, tracked as CVE-2021-40444, that targets a remote code execution flaw in MSHTML, used in Microsoft Office to render web content inside Word, Excel, and PowerPoint documents.
- The zero-day vulnerability is actively exploited by threat actors and Office users are targeted through client-side attack vectors.
- Microsoft has updated Windows Defender Antivirus and Windows Defender for Endpoints to defend against this vulnerability.
- Assets can be protected against the attack by following the guidelines recorded in the Impact & Mitigation section of this advisory.
AnalysisTrident, popularly known as the MSHTML, is a browser engine developed by Microsoft for Internet Explorer. The Microsoft Office suite supports MSHTML, which has a remote code execution vulnerability (CVE-2021-40444) that attackers are increasingly exploiting to gain code execution on targeted systems. At present, Microsoft has not disclosed the technical details of the vulnerability.
- Threat actors craft a malicious ActiveX control which is then used in Office documents that host MSHTML.
- The logical flaw in MSHTML is triggered when the user opens the malicious document.
- However, Protected View/ Application Guard in Microsoft Office applications is capable of defending against these targeted attacks.
- Microsoft has updated Defender for Endpoints, to flag such attacks with an alert that reads “Suspicious Cpl File Execution.”
- Microsoft has not released a patch for this zero-day vulnerability, but TTPs (Techniques tactics and procedures) for this vulnerability have been updated in Windows Defender.
- Additionally, an official Microsoft advisory that includes a workaround has been included in the following section.
Impact & Mitigation
Indicators of Compromise