[German]The vulnerability CVE-2021-40444 in the Windows MSHTML library has been known public since September 7, 2021. Actors attempt to attack Windows machines via this vulnerability using manipulated Office files. As of September 14, 2021, Microsoft has addressed the vulnerability in Windows security updates. In addition, I have new analysis on the vulnerability. As a follow-up to Patch day, here is a summary of the current state of affairs.
MSHTML vulnerability CVE-2021-40444
The MSHTML library included in Windows has the vulnerability CVE-2021-40444, which allows remote code execution (RCE), among other things via manipulated Office documents. MSHTML (Trident) is the HTML rendering engine of Internet Explorer included in all previous versions of Windows. Some users believe that the systems are not vulnerable if Internet Explorer is not used. But mshtml.dll can be used by other programs as well. It is known that attackers have used manipulated Office documents to attack the vulnerability in the HTML rendering engine via ActiveX components downloaded from attacker's websites and reinstalled.
However, Microsoft's hints for mitigating the vulnerability, such as blocking the possibility to install ActiveX, were not sufficient to fend off the attacks. The protected view in Microsoft Office can also be bypassed in attacks. Microsoft had to make several improvements to the proposed workarounds, but failed to eliminate the root of the problem. I had pointed out these problems in the article Disaster Windows MSHTML vulnerability CVE-2021-40444, hopefully a patch will come today and in other posts (see end of article). The only hope for users was that virus scanners like Defender would detect and fend off an attack.
In the meantime, LogPoint sent me a link to this short article describing how to detect attack attempts on the vulnerability – it's an advertisement for their solution, but the info might be helpful for other administrators.
New analysis on CVE-2021-40444
The analysis refers to known attacks and their course over time. Maybe someone can pull out some new information.
Microsoft delivers a patch for CVE-2021-40444
As of September 14, 2021, Microsoft then released a patch for CVE-2021-40444 and shipped it with the Windows cumulative updates that include Internet Explorer, as well as the Internet Explorer 11 cumulative update KB5005563, dated 9/14/2021.
Internet Explorer 11 cumulative update KB5005563 must be installed separately if only security-only updates are rolled out on Windows 7/Windows 8.1 requires. All other updates (update rollups for Windows 7/Windows 8.1, as well as cumulative updates for Windows 11) contain the patches for IE 11 and thus for MSHTML.dll.
However, there is no reference to the patched MSHTML.dll in the support articles for the updates. Rather, Microsoft has included the relevant information in the security advisory for vulnerability CVE-2021-40444. Tenable classifies the vulnerability as critical in this article.
– Microsoft MSHTML Remote Code Execution Vulnerability
– Version 2.0
– Reason for Revision: CVE updated to announce that Microsoft is releasing security
updates for all affected versions of Windows to address this vulnerability. These
updates include Monthly Rollups, Security Only, and IE Cumulative updates. Please
see the FAQ for information on which updates are applicable to your system. Other
information has been updated as well, including the following: 1) Executive Summary
has been updated 2) FAQs have been added.
– Originally posted: September 7, 2021
– Updated: September 14, 2021
Does the patch eliminate CVE-2021-40444?
At this point, the question arises whether Microsoft has closed the CVE-2021-40444 with the security update in the first shot. Because according to this tweet, there is a DocX generator (see) that injects corresponding exploits into Office docx files. Some comments about mshtml.dll and changes due to the patch can be found here.
Security researcher Will Dormann points out in this tweet that there are many ways to trigger the vulnerability. However, according to Dormann, the vulnerabilities he is aware of have been fixed by the patch. The discussion thread can be found here on Twitter. But I just came across this tweet that talks about a new bug that the discoverer reported to Microsoft.
Currently, it is not clear to me whether the vulnerability is fixed by the security updates. Let's wait and see what will become known in the next hours and days. My tip would be to read through the notes on IE.reg by Kanthak from the blog post Disaster Windows MSHTML vulnerability CVE-2021-40444, hopefully a patch will come today, to harden against the vulnerabilities.
Attack via Office Documents on Microsoft MSHTML (ActiveX) RCE Vulnerability (CVE-2021-40444)
MSHTML vulnerability CVE-2021-40444 more critical than known
Disaster Windows MSHTML vulnerability CVE-2021-40444, hopefully a patch will come today
Cookies helps to fund this blog: Cookie settings