Microsoft Zero-Day Vulnerability Announced - CVE-2021-40444

THE THREAT

On September 7th, 2021, Microsoft announced a new critical zero-day vulnerability impacting Windows devices. The vulnerability, tracked as CVE-2021-40444 (CVSS: 8.8), is an unauthenticated Remote Code Execution vulnerability. In an attack scenario, an adversary would send a maliciously crafted document to the potential victim; if the document is opened, code execution is achieved.

Microsoft has confirmed that targeted exploitation is ongoing. It is recommended that organizations apply the mitigations provided by Microsoft until security patches are released.

What we’re doing about it

• eSentire has created detections for this threat via eSentire MDR for Endpoint
• Indicator sweeps have been performed for all eSentire MDR for Endpoint clients
• eSentire Managed Vulnerability Service (MVS) will automatically add the relevant plugins for this vulnerability once details are made available
• eSentire security teams are tracking this threat for additional details and detection opportunities

What you should do about it

• Security patches should be applied once made available by Microsoft
• Microsoft has provided temporary mitigations; Organizations are recommended to disable the installation of all ActiveX controls in Internet Explorer
  • Specific instructions are provided in the full vulnerability release
• Organizations should consider reiterating spam and phishing email procedures for employees

Additional information

External security researchers have identified potential bypasses to the mitigations provided by Microsoft. As such, it is highly recommended that organizations apply the relevant security patches once released. Microsoft has not stated when security patches will be made available. Microsoft claims that both Microsoft Defender Antivirus and Defender for Endpoint are able to detect the exploitation of this vulnerability. It should be noted that user interaction is required for successful exploitation of the vulnerability. As such, users should be informed of the risks of opening unexpected documents and emails.

CVE-2021-40444 is a vulnerability found in MSHTML, the file that allows Microsoft Internet Explorer to read and display HTML webpages.

At this point, attacks exploiting CVE-2021-40444 are believed to be targeted in nature, likely by a single threat actor group. The publication of vulnerability details is likely to lead to wider exploitation in the immediate future.

Impacted Products:

• Windows 7
• Windows Server 2012
• Windows Server 2008
• Windows 8.1
• Windows Server 2016
• Windows 10
• Windows Server 2019
• Windows Server 2022

References:

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
[2] https://twitter.com/GossiTheDog/status/1435570418623070210