Microsoft experts have issued a warning about a new 0-day vulnerability in Microsoft MHTML (aka Trident), the proprietary Internet Explorer browser engine. The problem is already being exploited in real attacks against Office 365 and Office 2019 users on Windows 10. There is no patch yet.
The vulnerability was identified as CVE-2021-40444 and affects Windows Server 2008-2019 and Windows 8.1-10 (8.8 out of 10 on the CVSS scale). Although MHTML was primarily used for the Internet Explorer browser, it is also used in Office applications to render web-based content within Word, Excel, and PowerPoint documents.As Microsoft representatives explain, using this bug, an attacker can create a malicious ActiveX component that will be used by a Microsoft Office document and processed by MHTML. An attacker only has to convince the user to open such a malicious file, after that the attack can be considered a success.
It should be noted that the attack will not work if Microsoft Office is running with the default configuration and documents are opened through Protected View or Application Guard for Office 365. For example, Protected View is a read-only mode, in which most editing functions are disabled, and Application Guard isolates untrusted documents, preventing them from accessing corporate resources, the internal network, and other files on the system. Thus, systems with active Microsof Defender Antivirus and Defender for Endpoint (versions 1.349.22.0 and newer) must be protected from the vulnerability.
0-day was discovered by researchers from Mandiant and EXPMON. Moreover, EXPMON experts who monitor exploits write on Twitter that they found the vulnerability when they were analysing a “very complex 0-day attack” aimed at Microsoft Office users.
EXPMON specialist Haifei Li told Bleeping Computer that the attackers used the .DOCX file to attack. When opened, this document loaded the Internet Explorer engine to render the attacker’s remote web page. Then the malware was loaded using the ActiveX control located on this page. This was done using the “Cpl File Execution” feature mentioned in the Microsoft post.
The researcher emphasized that this attack method is 100% reliable, which makes it very dangerous.
Since patches are not available yet, Microsoft suggested the following solution to the problem: disabling the installation of all ActiveX components in Internet Explorer.
Let me remind you that we recently reported that New vulnerabilities in Microsoft Exchange have already affected tens of thousands of organizations.