An unpatched Windows 10 vulnerability has been exploited once again and the bounty shared on hacking forums. A security advisory from Redmond shares that the security hole CVE-2021-40444 affects the “MSHTML” component of Internet Explorer (IE) on Windows 10 and many Windows Server versions.
According to an announcement the zero-day Windows 10 vulnerability in Windows MSHTML allows attackers to create malicious documents, including Office and RTF documents and give control to the attacker to remotely execute commands on a victim’s computer.
Although no security updates are available for the vulnerability CVE-2021-40444, Microsoft has decided to disclose the vulnerability and provide mitigation to the threat to prevent further exploitation.
In its statement Microsoft said, “An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
If the ActiveX controls and Word/RTF document previews are blocked in IE, the threat can be mitigated. But the attackers were able to modify the exploit and not use ActiveX, and bypass Microsoft.
Exploits shared
Taking the immediate lead from the disclosure by Microsoft on the Windows MSHTML Zero-Day, tracked as CVE-2021-40444 vulnerability, hacking forums and security researchers got into action and discovered the malicious documents used in attacks online and who was further abusing them.
Inspired by @buffaloverflow, I tested out the RTF attack vector. And it works quite nicely.
WHERE IS YOUR PROTECTED MODE NOW? pic.twitter.com/qf021VYO2R— Will Dormann (@wdormann) September 9, 2021
They had a field day reproducing, exploiting and further modifying these documents for more functionality and vulnerabilities. This gave advantage to threat actors who further exploited these samples posted online and shared them with their fellow attackers on hacking forums.
Not sure if Microsoft fixed this (my VM is unpatched). But it works in explorer preview mode via RTF: https://t.co/GI9xr71JKt pic.twitter.com/H5cdmL8tpX
— Rich Warren (@buffaloverflow) September 8, 2021
According to a report on Bleeping computers, the information is easy to follow and allows anyone to create their own working version of the CVE-2021-40444 exploit, including a Python server to distribute the malicious documents and CAB files.
Microsoft advises
- Block ActiveX control in IE by disabling it
- Deactivate document preview in Windows Explorer
Users still have to be cautious till an official security update is released as threat actors have further modified the vulnerabilities to bypass Microsoft.
Spate of Microsoft Vulnerabilities
Every cybersecurity site has been reporting Microsoft vulnerabilities since the beginning of the year. In the month of August alone Microsoft released 44 security patches. Some of the reported affected tools include .NET Core & Visual Studio, ASP.NET Core & Visual Studio, Azure, Windows Update, Windows Print Spooler Components, Windows Media, Windows Defender, Remote Desktop Client, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Office, Microsoft Office Word, Microsoft Office SharePoint and more.
Microsoft Vulnerabilities Report 2021 by BeyondTrust highlights, unpatched vulnerabilities are the cause of 1 in 3 breaches around the world.
Key findings
- 1,268 Microsoft vulnerabilities were discovered in 2020, a record-high number with a 48% increase YoY
- Reported vulnerabilities has risen 181% in the last five years (2016-2020)
- For the first time, “Elevation of Privilege” was the #1 vulnerability category, comprising 44% of the total, nearly three times more than in the previous year
Microsoft being the most widely used platform is an obvious target and open to vulnerabilities given its large user base. There have been high number of zero-threats being reported and we need to see more proactive patching and response to these exploits.