Operating System:

[WIN]

Published:

15 September 2021

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ASB-2021.0177.2 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2021.0177.2
           Microsoft MSHTML Remote Code Execution Vulnerability
                             15 September 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          MSHTML
Operating System: Windows
Impact/Access:    Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2021-40444  

Revision History: September 15 2021: Microsoft has released security updates to address this vulnerability
                  September  8 2021: Initial Release

OVERVIEW

        Microsoft has released an advisory detailing a remote code execution
        vulnerability in Windows that is currently being exploited in the 
        wild. CVE CVE-2021-40444 has been assigned to this vulnerability. 
        [1]


IMPACT

        Microsoft has stated the following: 
        "Microsoft is investigating reports of a remote code execution 
        vulnerability in MSHTML that affects Microsoft Windows. Microsoft 
        is aware of targeted attacks that attempt to exploit this vulnerability 
        by using specially-crafted Microsoft Office documents.
        
        An attacker could craft a malicious ActiveX control to be used by a
        Microsoft Office document that hosts the browser rendering engine. 
        The attacker would then have to convince the user to open the 
        malicious document. Users whose accounts are configured to have 
        fewer user rights on the system could be less impacted than users 
        who operate with administrative user rights."
        
        --------------------UPDATE 14/09/2021--------------------
        
        Microsoft has released security updates to address this vulnerability. [1]


MITIGATION

        Microsoft advises that by default, Microsoft Office opens documents
        from the internet in Protected View or Application Guard for Office
        both of which prevent the current attack. [1]
        
        Microsoft also advises that disabling the installation of all 
        ActiveX controls in Internet Explorer mitigates this attack. [1]
        
        Microsoft Defender Antivirus and Microsoft Defender for Endpoint 
        both provide detection and protections for the known vulnerability.
        [1]
        
        --------------------UPDATE 14/09/2021--------------------
        
        Microsoft has released security updates to address this vulnerability. [1]


REFERENCES

        [1] Microsoft MSHTML Remote Code Execution Vulnerability
            https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYUGF5uNLKJtyKPYoAQipMQ//TsOENnE/brDRaDnPkeadYIaFG/55RTfc
6L6tcJLqrJN69kHlBnoyNpbsQPkIxeAUGAQkwfd05A0q4tW0vdTbXuMMZMGTAsrG
4ljVwwgRnLGgFBobN6gQ226KILJRXxU4jff+oqJwWHEgeBoNEV/+RFLrBdOvsRd7
jbWOb8ui511l18TXj2TKP8lKZHOtSS5B/0hhZ2BjDHwg4lZMfh7lcvjGV5TXjgvj
7LN0E2qyDFjk9cGukBYh57iquxUXiYjkN1lIfs/wpV6TUg5x1uFRhnxrdofOdP+f
kU+SrZBfO1NJh5XlumNot3HbwKPX4KjYBxs7cG0VFbjZUCzZO6bVJmuO40UZiXJj
mE58c5bsqyLBZZLGYMxuhhYADYKsFDkvWnVbCkLtpf1xq0Zvsqk4D4Dx8VTRiRhN
AJF6f0JgzQmcgbSaM1R2VT9lfPohqkySn6bY/b2RwD7JUUHI3VLh00UtTaM+CsFC
jGlDVlYgQq74WJwKwVMl2pHE9r4P8m9dHHMXVwNQVvr1vhwLaBBaE1X5NTGNGg1x
BwjrTqYW2tMBxeR0Ah3DjTLz9Lj6yX7jBk0pRF0U+jm0RlxVEqIgq7uwFrSAWP9T
8eBoMuDG9P+W/4F3JJlYZHlT9orPueQXzdhuM2stPOZIuBXAQRPywKRc9/0o7m3H
dFGb7AGJVV4=
=3xoH
-----END PGP SIGNATURE-----