Cybersecurity experts have warned that zero-day vulnerabilities in Microsoft products are being actively exploited, after reports of the exploitation of CVE-2021-40444, a remote code execution (RCE) vulnerability in Internet Explorer (IE) on Windows 10 and several Windows Server versions.
Forbes reports that the zero-day vulnerability was discovered by researchers, and can be exploited by crafting a malicious ActiveX control that is used by a Microsoft Office 365 document. There is currently no patch available for the vulnerability.
Typically, Office documents downloaded from the internet are opened in either Protected View or Application Guard, both of which mitigate the attack.
This means the successful deployment of the exploitation depends on convincing the target to open the malicious document, which should then trigger the exploit, downloading the malicious file to the victim’s system.
Researchers from Trend Micro, who have been tracking the exploitation, said that at present, CVE-2021-40444 is being used to deliver Cobalt Strike payloads, which is almost always a precursor to a wider cyber attack.
In a blog, Trend’s team said: “We reiterate our long-standing advice to avoid opening files from unexpected sources, which could considerably lower the risk of this threat as it requires the user to actually open the malicious file.”
Microsoft said, in a security notice, that its Defender Antivirus and Defender for Endpoint products will both detect and protect against CVE-2021-40444, as long as they are both kept up to date.
Those that manage updates should select detection build 1.349.22.0 or newer and deploy it as soon as possible. User scan also mitigates the threat by disabling the installation of all ActiveX controls in IE.
Microsoft said that on the completion of its investigation, they will take appropriate action to help protect its customers, which could include providing a security update through the monthly release process, or by providing an out-of-cycle security update.
The chief information security officer of data management company Veritas, Payman Armin, said that cybersecurity is the ultimate ‘cat-and-mouse’ game, as vendors patch one hole, which bad actors find another to sneak through.
“Compounding the problem is that it takes time to develop security patches that install properly and don’t break anything,” he said.
He explained that while Microsoft works hard to patch the vulnerability, organisations are left to rely on security software to prevent exploitations that, more often than not, allow successful ransomware and other attacks against data integrity.
“So, while security software is always a good first line of defence, including while waiting for patches, businesses have to operate under the assumption that it can be bypassed,” he added.
“In today’s security landscape, every organisation needs a backup plan – and that has to include comprehensive data protection to bounce back quickly when ransomware or other threats to data break through.”
The emergence of CVE-2021-40444 is the second time in as many months that zero-days have been found in MSHTML.
In its August 2021 Patch Tuesday drop, Microsoft fixed CVE-2021-34354, a critically rated flaw in MSHTML, which also enabled RCE on compromised systems. Successful exploitation of this bug requires a somewhat complex attack that, like -40444, requires the threat actor to interact with the user.
If you’re looking for cyber security monitoring services, talk to us today.