September 10, 2021 | 3 minute read
The Cybereason Global Security Operations Center (SOC) issues Cybereason Threat Alerts to inform customers of emerging impacting threats. The Alerts summarize these threats and provide practical recommendations for protecting against them.
The Cybereason GSOC Managed Detection and Response (MDR) team is investigating CVE-2021-40444, a critical vulnerability in the Microsoft Hypertext Markup Language (MSHTML) web content rendering engine that Microsoft Office applications use. This vulnerability enables attackers to use malicious ActiveX controls to execute arbitrary code on target systems.
This Threat Alert focuses on the CVE-2021-40444 vulnerability as exploited via malicious Office documents. However, other applications that also use the MSHTML engine, such as Internet Explorer, can also be vectors for exploiting the vulnerability.
CVE-2021-40444 is a critical vulnerability in the MSHTML rendering engine. Microsoft Office applications use the MSHTML engine to process and display web content. An adversary who successfully exploits CVE-2021-40444 could achieve full control over a target system by using malicious ActiveX controls to execute arbitrary code.
To exploit the CVE-2021-40444 vulnerability, the attacker tricks a user into opening a specifically crafted Office document and clicking Enable Content to disable the Microsoft Office Protected View feature. The Protected View feature is enabled by default and blocks the execution of potentially malicious code in the context of Office documents.
A specific exploitation of CVE-2021-40444 observed in practice involves the following activities:
An MSHTML OLE object in a specifically crafted Microsoft Office document
Cybereason recommends the following:
Windows Registry Editor Version 5.00
Aleksandar Milenkoski, Senior Security Analyst, Cybereason Global SOC
Aleksandar Milenkoski is a senior security analyst with the Cybereason Global SOC (GSOC) team. He is involved primarily in reverse engineering and threat research activities. Aleksandar has a PhD degree in the area of system security. Prior to Cybereason, his work was focusing on research in the area of intrusion detection and reverse engineering security mechanisms of the Windows 10 operating system.
The Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every continent. Led by cybersecurity experts with experience working for government, the military and multiple industry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.All Posts by Cybereason Global SOC Team