Microsoft Windows 10 Windows Server Office 0day attack CVE-2021-40444


Microsoft has warned Windows 10 users that a previously unknown, and therefore unpatched, security vulnerability is being exploited by cybercriminals. Zero-day is a high-level (below-critical) vulnerability that could allow an attacker to remotely execute code on the target computer and potentially gain full control.

Additionally, Microsoft has confirmed that cybercriminals are known to already exploit CVE-2021-40444 and advises users to take prompt mitigation actions until an official fix is ​​available. The US Agency for Cybersecurity and Infrastructure Security (CISA) follows Microsoft’s lead and “also encourages users and administrators” to “implement mitigations and workarounds”.

Windows’ latest zero-day vulnerability explained

The vulnerability itself is in the Internet Explorer browser rendering engine, MSHTML, which may sound like a good thing. After all, no one uses Internet Explorer anymore, do they? Wrong. Microsoft Office documents also use this rendering engine, and this is where attackers aim the exploit. Day zero was reported to Microsoft on the morning of Sunday, September 5 by an EXPMON researcher. The exploitation detection company tweeted that Office users should be “extremely careful” about files until a fix is ​​available.

Attackers use Office documents that load MSHTML when opened to view a specially crafted malicious web page and use an ActiveX control to download the malware payload. Users without administrator rights will of course be less impacted than those with greater privileges.

“While this attack requires user interaction,” said Scott Caveza, head of research engineering at Tenable, “threat actors are likely to target victim organizations with personalized emails or attempt to exploit current events for a higher success rate. “

You can read an in-depth technical dive in several documents infected with this exploit here.

Attackers are looking for products suitable for big shoes

As I note in the Straight Talking Cyber ​​video at the beginning of this article, Microsoft tops the rankings for released security vulnerabilities, with Windows 10 being the Microsoft product with most of them. This in itself is not necessarily surprising. “One of the reasons for this zero-day spike is that Microsoft is among the most ubiquitous business software in the world,” said Sam Curry, chief security officer at Cybereason. “If you’re a mugger and want victims, you’re looking for the biggest footprint.” Windows 10 and Microsoft Office certainly fit into these shoes.

MORE FORBESWindows 10 warning millions of people as another hack goes viral

No patch yet, apply this workaround instead, Microsoft says

As this latest attack shows, opening Office documents from untrusted sources is still a risky and inadvisable activity. The good news is that Microsoft Defender Antivirus and Microsoft Defender for Endpoint provide detection and protection, Microsoft said. Hopefully a fix will be available as part of the Patch Tuesday cycle next week, or even as an out-of-band update ahead of time, although that seems increasingly unlikely.

Reached for further advice, a Microsoft spokesperson said, “We have identified a limited number of targeted attacks,” and directed me to the Security Update Tips page that contains a workaround. This involves disabling Internet Explorer ActiveX controls by updating the system registry.

However, former Microsoft Senior Threat Intelligence Analyst and well-known security researcher Kevin Beaumont has tweeted that he successfully modified a sample one-click attack so that he could bypass Microsoft’s workarounds.

Threat Intelligence Specialists, Cyjax, confirms that several security researchers have already successfully created exploits and warn that more attacks could be imminent.

Patch Tuesday can’t come soon enough, it seems.

Leave A Reply

Your email address will not be published.