Microsoft MSHTML Remote Code Execution Vulnerability

The Issue

A new threat against Windows operating systems has been identified by MS Office attachments received in e-mails and downloads. Currently, there is no patch available.

What Happens?

An end-user opens a booby-trapped Office file from the internet, via email attachment or downloading a document. This document includes an ActiveX control which gives unrestricted access to the computer and exploits a bug that allows the same level of control as the end-user and implants malware. Specialists have validated this attack can also be triggered in Windows Explorer with ‘Preview Mode’ enabled indicating it can be exploited even without opening the file.


What Do I Do?

  • Advise all staff to avoid opening documents you weren’t expecting. Don’t be tempted to look at content just because an email or a document happens to align with your interests, your line of work, or your current research. That doesn’t prove that the sender knows you, or that they can be trusted in any way – that information is probably publicly available via your work website or your own social media posts.

  • Instruct staff to check for Phishing e-mails before opening attachments, see here.

  • Consider enforcing Protected View permanently for all external content. System administrators can enforce network-wide settings that prevent anyone from using the [Enable Content] option to escape from Protected View in Office. Ideally, you should never need to trust so-called active content in external documents, and you sidestep a wide range of attacks if you prevent yourself from enabling any active content altogether.

  • Disable ActiveX controls that use the MSHTML web renderer. Sysadmins can enforce this with network-wide registry settings that stops ActiveX controls that arrive in new documents from working at all, regardless of whether the document is opened in Protected View or not. This forms Microsoft’s official mitigation for the CVE-2021-40444 vulnerability.

Please contact OIA if you would like assistance with deploying any of the interim remedies or if you believe a staff member has opened a corrupt file.

15 views

Recent Posts

See All