Microsoft Zero-Day-of-the-Month Club

When it comes to zero day attacks against Microsoft products, I often feel like Bill Murray’s character in the movie Groundhog Day. It seems like I keep waking up to the same scenario over and over and over, with attackers repeatedly exploiting zero-day vulnerabilities against Microsoft products. 

It has been a very busy year when it comes to Microsoft zero-day attacks. According to Brian Krebs, May is the only month in 2021 that Microsoft didn’t release a patch to defend against at least one zero-day exploit. In July it was the PrintNightmare vulnerability. There were 6 different zero-day vulnerabilities patched in June. In March, Microsoft pushed out patches for 4 zero-day flaws in the Microsoft Exchange Server that were exploited in the HAFNIUM attacks. These same flaws were also discovered being used in our latest research discovery that uncovered Chinese espionage, the DeadRinger Report.

It happened yet again this week: Microsoft issued a security advisory for another zero-day currently being exploited in active attacks in the wild. The flaw is in the MSHTML component of Internet Explorer—a web browser Microsoft no longer supports, but it is still used for rendering web-based content in Microsoft Office applications.

You can read fresh analysis of the MSHTML issue here from the Cybereason Global SOC Team.

It feels like déjà vu. There are so many zero-days exploits targeting Microsoft lately that I have to double-check the date when I see a headline to verify it’s not just a story about last month’s vulnerabilities. It must be exhausting for IT teams to react to a new fire drill from Microsoft to patch or mitigate against a new zero-day exploit month after month. 

Microsoft can’t even protect its own platforms and products against attacks, yet they have the audacity to try and sell you security tools and expect you to trust them to protect your networks and data. 

More Code, More Problems

The more code you have, the greater the chances that you will find a vulnerability in there somewhere. There is no such thing as perfect code, and vulnerabilities are a fact of life. But we shouldn’t let Microsoft off the hook that easily. Microsoft has a responsibility to its customers to do a better job of creating secure code and proactively identifying and fixing vulnerabilities before they become zero-day attacks. 

Microsoft also has a massive target on its back. The company has a virtual monopoly on the desktop operating system market, it’s a major cloud platform provider, and Office365 and the Microsoft Office applications are used pretty much everywhere. I spent the early days of my career conducting nation-state offensive operations, and a majority of what we did focused on exploiting Microsoft software vulnerabilities. 

Cybercriminals follow the same logic. If an attacker is going to invest the time to research and discover vulnerabilities, and then develop exploits to attack vulnerable systems and applications, it makes sense to target the software that is most widely used. It creates a much larger pool of potential targets and exponentially increases the odds of success. 

Defending Against Zero-Days

Many organizations place their trust in a software vendor and lack the tools to effectively defend against attacks. Some even let the proverbial fox watch the henhouse by trusting Microsoft security tools to protect them. That is why they get caught off guard. That’s how you end up with attacks like SolarWinds and HAFNIUM

It’s important to follow the guidance from Microsoft to mitigate the risk from this threat. However, it’s a bad idea to put all of your eggs in one basket by trusting Microsoft to protect you when they can’t even protect themselves. 

Vulnerabilities are a fact of life. They may not all target Microsoft software, but there will always be new zero-days. 

IT and security teams should do everything they can to minimize the risk. They should have a robust vulnerability and patch management system in place and mitigate risk with network security tools and best practices. But they should also have the tools in place to defend against new zero-day attacks regardless of patches. 

With the right tools in place, you can detect and defend against zero-day attacks. You need an operation-centric approach to be able to detect when threats get into your environment—and have the ability to take immediate action to shut down malicious activity before any damage is done. 

This won’t be the last zero-day you face, and it certainly won’t be the last zero-day from Microsoft. Make sure you are prepared with the right tools so you can be confident that your environment is secure against all of them, from endpoints to everywhere. 

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div