Update 2: Microsoft Zero-Day Vulnerability Announced - CVE-2021-40444

THE THREAT

UPDATE 2: As of September 14th, Microsoft has released security patches to address CVE-2021-40444 for all impacted versions of Windows. eSentire has tested the update and confirmed its validity against public exploits. Organizations are strongly recommended to apply these security patches as soon as possible, as exploitation in the wild is ongoing.

UPDATE: As of September 11th, public Proof-of-Concept (PoC) exploit code has been released for CVE-2021-40444. The availability of PoC code is expected to result in widespread exploitation of this vulnerability in the near future. eSentire security teams will continue to review exploit and malware samples for additional detection and prevention opportunities.

On September 7th, 2021, Microsoft announced a new critical zero-day vulnerability impacting Windows devices. The vulnerability, tracked as CVE-2021-40444 (CVSS: 8.8), is an unauthenticated Remote Code Execution vulnerability. In an attack scenario, an adversary would send a maliciously crafted document to the potential victim; if the document is opened, code execution is achieved.

Microsoft has confirmed that targeted exploitation is ongoing. It is recommended that organizations apply the available security patches as soon as possible.

What we’re doing about it

• eSentire has created detections for this threat via eSentire MDR for Endpoint
• Indicator sweeps have been performed for all eSentire MDR for Endpoint clients
• eSentire Managed Vulnerability Service (MVS) has a local plugin to identify this vulnerability
• eSentire security teams are tracking this threat for additional details and detection opportunities

What you should do about it

• After performing a business impact review, apply the relevant security patches provided by Microsoft
  • For specific details on patches for all impacted Windows products, see the official Microsoft Advisory
• Microsoft has provided temporary mitigations; Organizations are recommended to disable the installation of all ActiveX controls in Internet Explorer
  • Specific instructions are provided in the full vulnerability release
• Organizations should consider reiterating their security procedures which all employees are advised to follow so as to protect against spam and phishing emails

Additional information

External security researchers have identified potential bypasses to the mitigations provided by Microsoft. As such, it is highly recommended that organizations apply the relevant security patches. Microsoft claims that both Microsoft Defender Antivirus and Defender for Endpoint can detect the exploitation of this vulnerability. It should be noted that user interaction is required for successful exploitation of this vulnerability. As such, users should be informed of the risks of opening unexpected documents and emails.

CVE-2021-40444 is a vulnerability found in MSHTML, the file that allows Microsoft Internet Explorer to read and display HTML webpages.

At this point, attacks exploiting CVE-2021-40444 are believed to be targeted in nature, likely by a single threat actor group. The publication of the vulnerability’s details, as well as the public release of Proof-of-Concept exploit code, is likely to lead to wider exploitation in the immediate future.

Impacted Products:

• Windows 7
• Windows Server 2012
• Windows Server 2008
• Windows 8.1
• Windows Server 2016
• Windows 10
• Windows Server 2019
• Windows Server 2022

References:

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
[2] https://twitter.com/GossiTheDog/status/1435570418623070210