Microsoft MSHTML Remote Code Execution CVE-2021-40444

Try in Splunk Security Cloud

Description

CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2021-09-08
• Author: Michael Haag, Splunk
• ID: 4ad4253e-10ca-11ec-8235-acde48001122

Narrative

Microsoft is aware of targeted attacks that attempt to exploit this vulnerability, CVE-2021-40444 by using specially-crafted Microsoft Office documents. MSHTML is a software component used to render web pages on Windows. Although it is 2019s most commonly associated with Internet Explorer, it is also used in other software. CVE-2021-40444 received a CVSS score of 8.8 out of 10. MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications use the MSHTML component to display web content in Office documents. The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware. At the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks. \

1. Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones. Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.

Detections

Name	Technique	Type
Control Loading from World Writable Directory	System Binary Proxy Execution, Control Panel	TTP
MSHTML Module Load in Office Product	Phishing, Spearphishing Attachment	TTP
Office Product Writing cab or inf	Phishing, Spearphishing Attachment	TTP
Office Spawning Control	Phishing, Spearphishing Attachment	TTP
Rundll32 Control RunDLL Hunt	System Binary Proxy Execution, Rundll32	Hunting
Rundll32 Control RunDLL World Writable Directory	System Binary Proxy Execution, Rundll32	TTP

Reference

• https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
• https://www.echotrail.io/insights/search/control.exe

source | version: 1