Microsoft Zero-Day Vulnerability Announced - CVE-2021-40444

THE THREAT

UPDATE: As of September 11th, public Proof-of-Concept (PoC) exploit code has been released for CVE-2021-40444. The availability of PoC code is expected to result in widespread exploitation of this vulnerability in the near future. eSentire security teams will continue to review exploit and malware samples for additional detection and prevention opportunities.

On September 7th, 2021, Microsoft announced a new critical zero-day vulnerability impacting Windows devices. The vulnerability, tracked as CVE-2021-40444 (CVSS: 8.8), is an unauthenticated Remote Code Execution vulnerability. In an attack scenario, an adversary would send a maliciously crafted document to the potential victim; if the document is opened, code execution is achieved.

Microsoft has confirmed that targeted exploitation is ongoing. It is recommended that organizations apply the mitigations provided by Microsoft until security patches are released.

What we’re doing about it

• eSentire has created detections for this threat via eSentire MDR for Endpoint
• Indicator sweeps have been performed for all eSentire MDR for Endpoint clients
• eSentire Managed Vulnerability Service (MVS) has a local plugin to identify this vulnerability
• eSentire security teams are tracking this threat for additional details and detection opportunities

What you should do about it

• Security patches should be applied once made available by Microsoft
• Microsoft has provided temporary mitigations; Organizations are recommended to disable the installation of all ActiveX controls in Internet Explorer
  • Specific instructions are provided in the full vulnerability release
• Organizations should consider reiterating their security procedures which all employees are advised to follow so as to protect against spam and phishing emails

Additional information

External security researchers have identified potential bypasses to the mitigations provided by Microsoft. As such, it is highly recommended that organizations apply the relevant security patches once released. Microsoft has not stated when security patches will be made available. Microsoft claims that both Microsoft Defender Antivirus and Defender for Endpoint can detect the exploitation of this vulnerability. It should be noted that user interaction is required for successful exploitation of this vulnerability. As such, users should be informed of the risks of opening unexpected documents and emails.

CVE-2021-40444 is a vulnerability found in MSHTML, the file that allows Microsoft Internet Explorer to read and display HTML webpages.

At this point, attacks exploiting CVE-2021-40444 are believed to be targeted in nature, likely by a single threat actor group. The publication of the vulnerability’s details is likely to lead to wider exploitation in the immediate future.

Impacted Products:

• Windows 7
• Windows Server 2012
• Windows Server 2008
• Windows 8.1
• Windows Server 2016
• Windows 10
• Windows Server 2019
• Windows Server 2022

References:

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
[2] https://twitter.com/GossiTheDog/status/1435570418623070210