Threat Signal Report

Microsoft MSHTML Remote Code Execution Vulnerability Exploited in the Wild (CVE-2021-40444)

Description

Update as of September 14th: Microsoft has officially released patches for affected products. Please refer to the APPENDIX section to "Microsoft MSHTML Remote Code Execution Vulnerability" for links to the patches in the "Security Update Section".

Update as of September 13th: Updated Status of Coverage with additional AV detection.

Update as of September 8th: Updated Status of Coverage with AV, IPS, Webfiltering, EDR information.


FortiGuard Labs is aware of a newly discovered vulnerability in Microsoft Windows. Assigned CVE-2021-40444, and disclosed by Microsoft today, this vulnerability is a remote code execution vulnerability in Microsoft MSHTML affecting multiple Microsoft Windows platforms. MSHTML, also referred to as Trident, is the Microsoft legacy browser engine for Internet Explorer, specific to Microsoft Windows platforms. Microsoft has observed in the wild attacks leveraging this vulnerability where attackers are creating maliciously crafted Microsoft Office documents that try to compel an unsuspecting victim into opening them.


What are the Technical Details of the Vulnerability?

According to Microsoft, an attacker can create a malicious ActiveX control that can be utilized by a Microsoft Office document that hosts the browser rendering engine. In order for an attacker to successfully leverage this vulnerability, the target must be socially engineered to open the maliciously crafted Office file.


Is this Being Exploited in the Wild?

Yes. According to Microsoft, this is limited to targeted attacks.


What is the CVSS score?

8.8 (HIGH)


Is there a Patch Available?

No. Microsoft states that there is no patch available at this time.


What Versions of Windows are Affected?

Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows RT 8.1

Windows 8.1 for x64-based systems

Windows 8.1 for 32-bit systems

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 for 32-bit Systems

Windows Server, version 20H2 (Server Core Installation)

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for x64-based Systems

Windows Server, version 2004 (Server Core installation)

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows Server 2022 (Server Core installation)

Windows Server 2022

Windows 10 Version 21H1 for 32-bit Systems

Windows 10 Version 21H1 for ARM64-based Systems

Windows 10 Version 21H1 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems


Any Mitigation and or Workarounds?

Disabling all ActiveX controls in Microsoft Internet Explorer will mitigate this issue. This can be done by editing the registry which should be done carefully as incorrectly editing the registry can cause severe operating system issues. For specific details on how to perform these edits, please refer to the Workaround section in the Microsoft MSHTML Remote Code Execution Vulnerability link within the APPENDIX section.


What is the Status of Coverage? (Last updated on September 13th)

FortiGuard Labs have the following AV coverage against the files associated with the attack:

  • JS/Agent.NKE!tr (definitions version 88.00961)
  • MSOFFICE/Agent.DHY!tr (definitions version 88.00961)
  • W64/Agent.ASO!tr (definitions version 88.00798)
  • MSOffice/Agent.D455!tr.dldr (definitions version 88.09650)
  • MSOffice/Agent.CNG!tr.dldr (definitions version 88.09740)
  • JS/Agent.NKE!tr (definitions version 88.09620)
  • JS/CVE_2021_40444.181B!exploit
  • HTML/CVE202140444.06F3!tr
All known network IOC's are blocked by the WebFiltering client.

For FortiEDR, all known samples have been added to our cloud intelligence and will be blocked if executed.

For IPS protection, FortiGuard Labs has IPS coverage in place for this vulnerability as: MS.Office.MSHTML.Remote.Code.Execution

FortiGuard Content, Disarm, and Reconstruction (CDR) can protect users from this attack by enabling the following option:

Enable/disable stripping of linked objects in Microsoft Office documents.

Telemetry


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.