Experts have published an exploit for a 0-day vulnerability in Windows MSHTML

exploit for vulnerability in Windows MSHTML
Written by Emma Davis

Researchers warn that attackers are already sharing tutorials and an exploit for the MSHTML vulnerability (CVE-2021-40444) on hacker forums, allowing more hackers to exploit the new vulnerability in their attacks.

Let me remind you that last week Microsoft issued a warning about a new zero-day vulnerability in Microsoft MHTML (aka Trident), the proprietary Internet Explorer browser engine. The issue was reportedly already exploited in real attacks against Office 365 and Office 2019 users on Windows 10, but there is no patch for it yet.

The vulnerability affects Windows Server 2008-2019 and Windows 8.1-10 (8.8 out of 10 on the CVSS scale). Although MHTML was primarily used for the Internet Explorer browser, it is also used in Office applications to render web-based content within Word, Excel, and PowerPoint documents.said information security experts.

As Microsoft representatives explained, using this bug, an attacker can create a malicious ActiveX component that will be used by a Microsoft Office document and processed by MHTML. In fact, the attacker only has to convince the user to open such a malicious file, after which the attack can be considered a success.

Soon after this message from the IT giant, researchers warned that the problem could be more dangerous, since Protected View or Application Guard cannot always prevent its exploitation. In addition, the experts found that the vulnerability can also be exploited using RTF files, which are not protected by Office Protected View at all. We also noticed that the bug can be exploited through document previews.

Although the experts did not disclose the details of the methods used, fearing that they would be used by cybercriminals, the hackers were still able to reproduce the exploits on their own (based on information and samples of malicious documents available on the network). Now criminals are actively sharing detailed tutorials and information on hacking forums with each other, Bleeping Computer reporters say. For example, additional instructions for creating payloads and a custom CAB file have already been posted.

creating custom CAB file

creating payloads

The information that is provided cybercriminals is simple and allows anyone to create their own version of the exploit for CVE-2021-40444, including a Python server for distributing malicious documents and CAB files. For example, using this information, journalists were able to recreate the exploit in about 15 minutes, as shown in the video below.

The magazine notes that currently Microsoft Defender and other security software can already detect and block malicious documents and CAB files used in attacks. Microsoft representatives, in turn, advised to disable ActiveX controls in Internet Explorer, and information security experts are recommending to disable document preview in Explorer.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.