Researchers warn that attackers are already sharing tutorials and an exploit for the MSHTML vulnerability (CVE-2021-40444) on hacker forums, allowing more hackers to exploit the new vulnerability in their attacks.
Let me remind you that last week Microsoft issued a warning about a new zero-day vulnerability in Microsoft MHTML (aka Trident), the proprietary Internet Explorer browser engine. The issue was reportedly already exploited in real attacks against Office 365 and Office 2019 users on Windows 10, but there is no patch for it yet.As Microsoft representatives explained, using this bug, an attacker can create a malicious ActiveX component that will be used by a Microsoft Office document and processed by MHTML. In fact, the attacker only has to convince the user to open such a malicious file, after which the attack can be considered a success.
Soon after this message from the IT giant, researchers warned that the problem could be more dangerous, since Protected View or Application Guard cannot always prevent its exploitation. In addition, the experts found that the vulnerability can also be exploited using RTF files, which are not protected by Office Protected View at all. We also noticed that the bug can be exploited through document previews.
Although the experts did not disclose the details of the methods used, fearing that they would be used by cybercriminals, the hackers were still able to reproduce the exploits on their own (based on information and samples of malicious documents available on the network). Now criminals are actively sharing detailed tutorials and information on hacking forums with each other, Bleeping Computer reporters say. For example, additional instructions for creating payloads and a custom CAB file have already been posted.
The information that is provided cybercriminals is simple and allows anyone to create their own version of the exploit for CVE-2021-40444, including a Python server for distributing malicious documents and CAB files. For example, using this information, journalists were able to recreate the exploit in about 15 minutes, as shown in the video below.
The magazine notes that currently Microsoft Defender and other security software can already detect and block malicious documents and CAB files used in attacks. Microsoft representatives, in turn, advised to disable ActiveX controls in Internet Explorer, and information security experts are recommending to disable document preview in Explorer.
