Microsoft is currently investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. The exploitation of this vulnerability may allow a remote attacker to take control of an affected system. In addition, this vulnerability has been detected in exploits in the wild.
Microsoft has confirmed targeted attacks have attempted to exploit this vulnerability by using specially-crafted Microsoft Office documents. In an update, Microsoft explains, “An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
John Bambenek, Principal Threat Hunter at Netenrich, a San Jose, Calif.-based digital IT and security operations company, says, “Malicious office docs are a go-to favorite for cybercriminals and hostile nation-states. This vulnerability allows more direct exploitation of a system than the usual tricking users to disable security controls. As this is already being exploited, immediate patching should be done as soon as possible. However, this is a stark reminder that in 2021, we still can’t send documents from point A to point B securely.”
The company says both Microsoft Defender Antivirus and Microsoft Defender for Endpoint provide detection and protection for this vulnerability; however, customers should keep antimalware products up to date.
Jake Williams, Co-Founder and CTO at BreachQuest, an Augusta, Georgia-based leader in incident response, explains, MSHTML is a component used by myriad applications on Windows. If you’ve ever opened an application that seemingly “magically” knows your proxy settings, that’s likely because it uses MSHTML under the hood. While there are currently few details available about the vulnerability, the impact is likely to extend beyond MS Office. Vulnerabilities like these tend to have extremely long lifetimes for exploitation in the wild, highlighting the need for security monitoring and periodic threat hunting.”
Upon completing this investigation, Microsoft says it will take the appropriate action to help protect users, including providing a security update through the monthly release process or providing an out-of-cycle security update, depending on customer needs.
However, the good news is that this vulnerability is client-side and requires user interaction, says Casey Ellis, Founder and CTO at Bugcrowd, a San Francisco, Calif.-based crowdsourced cybersecurity platform. “A patch will be available soon. Unfortunately, that’s the end of the good news. Exploit complexity appears quite low, the impact is very high, and its weaponized form is useful in many different attacks, including ransomware installation. The constant challenge with client-side vulnerabilities like this one is that there are a lot of systems that need to be patched, which means they stay available for exploitation to attackers for quite some time.”