Key Points:
- Microsoft issued an alert on September 7 to notify organizations about a new zero-day being exploited in real-world attacks.
- The vulnerability, Tracked as CVE-2021-40444, impacts Microsoft MHTML, a web page archive format used to combine the HTML code and its companion resources in a single computer file.
- Expmon and Mandiant informed Microsoft that they observed targeted attacks that attempted to exploit this vulnerability by using specially-crafted Microsoft Office documents
Summary
Microsoft issued an alert on September 7 to notify organizations about a new zero-day being abused in real-world attacks. Tracked as CVE-2021-40444, the vulnerability impacts Microsoft MHTML, a web page archive format used to combine the HTML code and its companion resources in a single computer file.
While MHTML was principally used for the now discontinued Internet Explorer browser, the archive format also works in Microsoft Office Word, Excel, and PowerPoint documents to render web-hosted content.
The alert reads “Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
Security researchers from Mandiant and Expmon discovered the attacks and the underlying zero-day.
Deepwatch Threat Intelligence Outlook
Neither Expmon, Mandiant, nor Microsoft has released details about the attacks, their targets, or the threat actor(s) exploiting this zero-day. However, Microsoft is expected to release a patch on September 14, during the company’s regular patch release schedule.
Until a patch is released, Microsoft has provided details on how to disable ActiveX rendering to prevent CVE-2021-140444 exploitation. Instructions on how to do so are included with Microsoft’s security advisory.