Windows MSHTML zero-day vulnerability actively exploited for remote code execution
Bad actors have begun circulating tutorials and exploits on hacking forums that make use of a zero-day vulnerability in Windows MSHTML that Microsoft revealed last Tuesday. This vulnerability allows hackers to create malicious Microsoft Office and RTF documents to remotely execute malicious commands on the victim's computer. There aren't any patches for the vulnerability yet. It was being actively exploited and Microsoft provided mitigations.
Microsft's plan to reveal vulnerability appears to have backfired royally
The new Windows MSHTML vulnerability is uniquely identifiable by the code CVE-2021-40444. Security researchers found it had been actively exploited in attacks by EXPMON and Mandiant. Microsoft decided it was a good idea to publicly disclose this vulnerability and issue mitigants. Obviously, hackers have modified the exploit, found ways to bypass Microsoft's mitigants, and shared detailed how-to instructionals to abuse it on hacking forums.
Microsoft Office documents can execute malicious code remotely
Microsoft's MSHTML vulnerability allows seemingly ordinary Microsoft Office documents and Rich Text Files (RTFs) to execute malicious code on the victim's computer. The guides posted by the hackers explain everything including how to use the vulnerability, create a malicious document, generating a payload (malicious code), a CAB file, and a Python server to distribute the malicious document and CAB file.
Demonstration of how vulnerability-exploiting document's preview maliciously opens calculator app
Windows Defender can block vanilla attacks using this vulnerability
BleepingComputer reported that anyone with technical competence should be able to get an exploit up and running in around 15 minutes. Thankfully, Windows Defender can detect and block the malicious documents and CAB files used in this type of attack. Microsoft provided mitigants to block ActiveX controls in Internet Explorer, the default handler for the MSHTML protocol, and block document previews in Windows Explorer.
Microsoft suggests disabling document previews, all ActiveX controls
Unfortunately, the bad actors and hackers have found ways to work around Microsoft's mitigants and exploits could be at large until Microsoft patches the vulnerability with a security update. Until then, we suggest you follow Microsoft's advice and disable all ActiveX controls in Internet Explorer. Also, disable document previews in Windows Explorer. This can be done by updating registry files.
