Windows attacks via 0-day in installer and vulnerability in MSHTML

Windows[German]Attackers are exploiting a now-patched CVE-2021-40444 vulnerability in Microsoft's MSHTML routines to attack Windows systems. And the 0-day vulnerability in Windows Installer that I addressed here on the blog the other days is being exploited by malware for privilege escalation. Here's an overview of the threats to Windows users via these two rails.


0-day exploited in Windows Installer

I had pointed out in the blog post 0-Day LPE Vulnerability in Windows Installer (Nov. 2021) that a security researcher had found a 0-day vulnerability in Windows Installer. Using this vulnerability, a local attacker could gain administrative privileges. This would not normally be a problem, as the 'Windows Installer Elevation of Privilege' vulnerability CVE-2021-41379 was patched in November 2021 by the regular security updates for Windows. 

Microsoft also assessed the vulnerability as low in its threat level (base CVSS score 5.5, temporary score 4.8) because the attacker must already be running an application locally on the system. However, the whole thing becomes a problem because the security researcher has found a workaround, the patch is ineffective. All Windows versions are affected, including Windows 10, the brand new Windows 11 and all Windows Server versions.

Security researchers from Cisco Talos already pointed out that the vulnerability is being exploited on November 23, 2021 in the article Attackers exploiting zero-day vulnerability in Windows Installer — Here's what you need to know and Talos' coverage. Specifically, it says that Talos has already discovered malware samples in the wild that attempt to exploit this vulnerability. Cisco Talos has therefore published new SNORTⓇ rules to protect against exploitation of this 0-day vulnerability in Microsoft Windows Installer. Hopefully, Microsoft will patch this vulnerability soon.

PowerShortShell grabs credentials via MSHTML bug

Recently, a new Iranian threat actor that steals Google and Instagram credentials from Farsi-speaking targets around the world was discovered by security researchers at SafeBreach Lab (see tweet). The attacker uses a new PowerShell-based stealer dubbed PowerShortShell by security researchers.

This info stealer is also used to monitor the Telegram platform and collect system information from compromised devices. The information, along with stolen credentials, is sent to servers controlled by the attackers, as Bleeping Computer colleagues write here.


This has been spread since July 2021 via spear phishing emails targeting Windows users with the RCE vulnerability CVE-2021-40444 in Microsoft MSHTML unpatched via compromised Word documents.

MSHTML (Trident) is the HTML rendering engine of Internet Explorer included in all previous versions of Windows. It is known that attackers have used manipulated Office documents to attack the vulnerability in the HTML rendering engine via ActiveX components downloaded from attacker websites and reinstalled. I have published a couple of posts on this vulnerability here on the blog (see the list of links at the end of the article).

As of September 14, 2021, Microsoft then released a patch for the CVE-2021-40444 vulnerability and shipped it with the Windows cumulative updates that include Internet Explorer and the Internet Explorer 11 cumulative update KB5005563, dated 9/14/2021. The problem is that Microsoft's security updates do not apply to older Windows 10 versions. ACROS Security therefore provides 0patch solutions to secure Windows against the MSHTML vulnerability (CVE-2021-40444). I had addressed this in the blog postWindows 10: 0patch fix for MSHTML vulnerability (CVE-2021-40444).


Now most of my blog readership will not be part of the Farsi-speaking population with Iranian roots. But the colleagues at Bleeping Computer have published the above graph, based on the very detailed SafeBreach report New PowerShortShell Stealer Exploits Recent Microsoft MSHTML Vulnerability to Spy on Farsi Speakers. The majority of victims are found in the US – but still 8.3% were detected in Germany. And the Netherlands is also doing well with 12.5%. 

CVE-2021-40444 targeted by more attackers

There is another aspect to the story: the RCE vulnerability CVE-2021-40444 in IE's MSTHML rendering engine has been exploited in the wild as a zero-day since August 18, 2021. Attackers thus exploited the vulnerability more than two weeks before Microsoft issued a security advisory with a partial workaround and three weeks before a patch was released.

Microsoft states that multiple threat actors (including ransomware offshoots) targeted this vulnerability using specially crafted Office documents distributed via phishing attacks. It involved a campaign that exploited the vulnerability by distributing custom Cobalt Strike beacon loaders. Bleeping Computer colleagues state that the vulnerability was most recently exploited by the Magniber ransomware group. Thus, the risk of an unpatched MSHTML library mutating into a gateway for malware is real.

Similar articles
Attack via Office Documents on Microsoft MSHTML (ActiveX) RCE Vulnerability (CVE-2021-40444)
MSHTML vulnerability CVE-2021-40444 more critical than known
Disaster Windows MSHTML vulnerability CVE-2021-40444, hopefully a patch will come today
Patch day recap Sept. 2021: Update on MSHTML vulnerability CVE-2021-40444
Windows 10: 0patch fix for MSHTML vulnerability (CVE-2021-40444)
0-Day LPE Vulnerability in Windows Installer (Nov. 2021)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *