Microsoft is warning of a new zero-day vulnerability in Windows MSHTML that allows attackers to perform remote code execution via a malicious ActiveX control and a Microsoft Office document.
Microsoft and CISA issued warnings about the vulnerability this week, with both saying the vulnerability has been exploited in the wild. It has been assigned to CVE-2021-40444.
Hackers are attempting to exploit this vulnerability by using specially crafted Microsoft Office documents that hosts the browser rendering engine. An attacker then has to convince a user to open the malicious document.
According to Microsoft, the attacks target administrators and other users with elevated privileges, and users with lower rights could be less impacted.
The company’s advisory says Microsoft Defender Antivirus and Defender for Endpoint both provide detection and protections for this vulnerability, but customers should keep antimalware products up to date or enable automatic updates.
Enterprise admins who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Defender for Endpoint alerts will be displayed as “Suspicious Cpl File Execution”, the company says.
Microsoft says Office will open documents from the internet in Protected View or Application Guard for Office to prevent the malicious document from providing network access. That is a default setting, so make sure it hasn’t been changed.
Although no patch has been issued yet, Microsoft did issue a workaround that includes disabling the installation of all ActiveX control sin Internet Explorer, which can be done by updating the registry.
Previously installed ActiveX controls will continue to run, but do not expose this flaw, the company says.
However, an incorrect use of Registry Editor can cause serious problems to the operating system that may require a reinstallation, so follow Microsoft’s workaround instructions closely.
What is MSHTML? The vulnerability explained
According to a blog from cybersecurity firm Malwarebytes, MSHTML is a software component that is used to render web pages on Windows. It’s usually associated with Internet Explorer, but it is also used in other software, including some versions of Skype, outlook, Visual Studio and more.
The company called MSHTML the “beating heart” of Internet Explorer, thus the vulnerability also exists in that browser. That browser is rarely used these days with Microsoft pushing its Edge browser and Chrome, Firefox and others becoming more popular. However, MSHTML is used by Office applications to display web content in Office documents, the cybersecurity company says.
The attack depends on MSHTML loading a specially crafted ActiveX control when a target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware, according to Malwarebytes.