Patch day recap Sept. 2021: Update on MSHTML vulnerability CVE-2021-40444

Sicherheit (Pexels, allgemeine Nutzung)[German]The vulnerability CVE-2021-40444 in the Windows MSHTML library has been known public since September 7, 2021. Actors attempt to attack Windows machines via this vulnerability using manipulated Office files. As of September 14, 2021, Microsoft has addressed the vulnerability in Windows security updates. In addition, I have new analysis on the vulnerability. As a follow-up to Patch day, here is a summary of the current state of affairs.


MSHTML vulnerability CVE-2021-40444

The MSHTML library included in Windows has the vulnerability CVE-2021-40444, which allows remote code execution (RCE), among other things via manipulated Office documents. MSHTML (Trident) is the HTML rendering engine of Internet Explorer included in all previous versions of Windows. Some users believe that the systems are not vulnerable if Internet Explorer is not used. But mshtml.dll can be used by other programs as well. It is known that attackers have used manipulated Office documents to attack the vulnerability in the HTML rendering engine via ActiveX components downloaded from attacker's websites and reinstalled.

However, Microsoft's hints for mitigating the vulnerability, such as blocking the possibility to install ActiveX, were not sufficient to fend off the attacks. The protected view in Microsoft Office can also be bypassed in attacks. Microsoft had to make several improvements to the proposed workarounds, but failed to eliminate the root of the problem. I had pointed out these problems in the article Disaster Windows MSHTML vulnerability CVE-2021-40444, hopefully a patch will come today and in other posts (see end of article). The only hope for users was that virus scanners like Defender would detect and fend off an attack. 

In the meantime, LogPoint sent me a link to this short article describing how to detect attack attempts on the vulnerability – it's an advertisement for their solution, but the info might be helpful for other administrators. 

New analysis on CVE-2021-40444

Microsoft has also recently published an analysis of CVE-2021-40444. I came across the following tweet shortly before writing the German edition of this blog post.

Analyzing CVE-2021-40444

The analysis refers to known attacks and their course over time. Maybe someone can pull out some new information.


Microsoft delivers a patch for CVE-2021-40444

As of September 14, 2021, Microsoft then released a patch for CVE-2021-40444 and shipped it with the Windows cumulative updates that include Internet Explorer, as well as the Internet Explorer 11 cumulative update KB5005563, dated 9/14/2021.

Internet Explorer 11 cumulative update KB5005563 must be installed separately if only security-only updates are rolled out on Windows 7/Windows 8.1 requires. All other updates (update rollups for Windows 7/Windows 8.1, as well as cumulative updates for Windows 11) contain the patches for IE 11 and thus for MSHTML.dll.

However, there is no reference to the patched MSHTML.dll in the support articles for the updates. Rather, Microsoft has included the relevant information in the security advisory for vulnerability CVE-2021-40444. Tenable classifies the vulnerability as critical in this article.


– Microsoft MSHTML Remote Code Execution Vulnerability
– Version 2.0
– Reason for Revision: CVE updated to announce that Microsoft is releasing security
   updates for all affected versions of Windows to address this vulnerability. These
   updates include Monthly Rollups, Security Only, and IE Cumulative updates. Please
   see the FAQ for information on which updates are applicable to your system. Other
   information has been updated as well, including the following: 1) Executive Summary
   has been updated 2) FAQs have been added.
– Originally posted: September 7, 2021
– Updated: September 14, 2021

Does the patch eliminate CVE-2021-40444?

At this point, the question arises whether Microsoft has closed the CVE-2021-40444 with the security update in the first shot. Because according to this tweet, there is a DocX generator (see) that injects corresponding exploits into Office docx files. Some comments about mshtml.dll and changes due to the patch can be found here.

Security researcher Will Dormann points out in this tweet that there are many ways to trigger the vulnerability. However, according to Dormann, the vulnerabilities he is aware of have been fixed by the patch. The discussion thread can be found here on Twitter. But I just came across this tweet that talks about a new bug that the discoverer reported to Microsoft.

CVE-2021-40444-Patch bypassing?

Currently, it is not clear to me whether the vulnerability is fixed by the security updates. Let's wait and see what will become known in the next hours and days. My tip would be to read through the notes on IE.reg by Kanthak from the blog post Disaster Windows MSHTML vulnerability CVE-2021-40444, hopefully a patch will come today, to harden against the vulnerabilities. 

Similar articles
Attack via Office Documents on Microsoft MSHTML (ActiveX) RCE Vulnerability (CVE-2021-40444)
MSHTML vulnerability CVE-2021-40444 more critical than known
Disaster Windows MSHTML vulnerability CVE-2021-40444, hopefully a patch will come today

Patchday: Windows 10-Updates (September 14, 2021)
Patchday: Windows 8.1/Server 2012 Updates (September 14, 2021)
Patchday: Updates for Windows 7/Server 2008 R2 (September 14, 2021)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Office, Security, Update, Windows and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *