Microsoft recently issued a warning for CVE-2021-40444, a zero-day remote code execution (RCE) vulnerability in
MSHTML (Microsoft HTML) which is currently exploiting multiple versions of Windows and Office.
This is a critical issue as cybercriminals are known to choose Office documents as a popular tactic to infect victims with their malicious content. This vulnerability only requires users to open a single document and no further interactions are necessary before the system is compromised. Besides an Office document, this vulnerability can affect other applications such as Skype, Microsoft Outlook, Visual Studio etc. that use
MSHTML engine under its hood.
MSHTML (Microsoft HTML or Trident) is a web page rendering engine associated with the legacy Internet Explorer (IE). Even though IE is no longer available in Windows 11 - the
MSHTML rendering engine is still present. Although commonly associated with IE,
MSHTML is also used by several applications such as Skype, Microsoft Outlook, Visual Studio and others to render the HTML content.
Microsoft Office applications commonly use
MSHTML to render and display web content in Office documents. Threat actors have found a way to abuse the
MSHTML vulnerability and launch specially crafted ActiveX controls which bypass native defenses and user consent to engage native Windows binaries that infect the target system. Due to its legacy and unsecure design, ActiveX has been notoriously exploited by cybercriminals to carry out their nefarious agendas.
At its core, this exploit is about forcing the HTML rendering (using the old, unsecure IE engine) to launch ActiveX controls and compromise security controls using native Windows binary. With this vulnerability, the attacker remains undetected while gaining system access and can execute codes remotely.
Figure: Exploiting CVE-2021-40444
To gain a perspective into this dangerous flaw, Bitdefender researchers obtained malicious artifacts and reviewed the Tactics, Techniques and Procedures (TTPs) used by the attackers. Below is a quick walk-through of how the vulnerability may be exploited:
Malicious Office document requests rendering using
MSHTML object – rendering engine from Internet Explorer (IE)
Microsoft Office documents such as .docx, .xlsx, .ppt are plain archives with media and XML files (as shown in the figure below). To view the content, one can change the extension of any Office files to .zip format.
While investigating the malicious Word (.docx) document, a MIME HTML (
MHTML) Object Linking and Embedding (OLE) object was discovered pointing to the untrusted third-party website
hidusi[.]com. Researchers have identified that the remote object from the website can be fetched using a regular HTTP connection and doesn’t require using exotic protocols such as
Figure: Snippet of an example Word document
Figure: ActiveX controls unpack, store and execute files locally
With the help of native binary tools (see LOLBins), these ActiveX controls execute the payload (
.inf files as seen above).
Figure: Masqueraded payload detected as malicious
In this PoC, a malicious Windows library file (
.dll) is masqueraded as
.inf and executed in the context of the
rundll32.exe utility. As this utility tool can run any file irrespective of the extension, attackers can use the technique to cloak the malicious payloads. To prove this theory, in this example, the malicious
.dll file has been renamed to
.txt file. As seen below, the security agent detected the file
side.txt and promptly classified it as a threat.
As of September 14, 2021, Microsoft released security updates to address this vulnerability and has advised consumers to install these updates immediately. However, independent researchers have already reproduced the exploit with modified capabilities. As per this tweet, Rich Text Format (.rtf) files are also vulnerable and can be weaponized as a workaround to Microsoft’s recommendations.
In line with Microsoft’s guidelines, our researchers recommend keeping the Bitdefender engine updated to the latest versions. The Bitdefender Patch Management add-on module can identify risks and vulnerabilities prior to the cybercriminals exploiting the weakness.
In the image below, Bitdefender agent identified the root cause (Outlook), detected the malicious Word file (malicious.docx) and classified it as malware.
Apart from the malicious Office file, our technology also detected the compromised websites and ActiveX scripts abusing the
MSHTML vulnerability to execute malicious payloads in the environment.
Figure: GravityZone detects CVE-2021-40444
Our researchers recommend disabling all ActiveX control installation in the Internet Explorer by configuring the Group Policy Objects (GPO) . Currently, ActiveX controls are mostly required to operate within Intranet networks.
Documents must be viewed in Protected View to limit the impact and prevent the cybercriminals from gaining access to the network. Users must be educated to not open Office documents from unreliable sources. Currently there are methods to bypass the Protected View, for example using .rtf files and additional caution must be exercised.
Indicators of Compromise
Specific detection of this attack has been added to Bitdefender products (
Generic.Ursnif.3.*). The malicious domains used in the attack were also blacklisted in our traffic scan engine. The exploit execution is detected with our behavioral engine and the Endpoint Detection and Response (EDR) engine can detect any suspicious commandline activity.
We would like to thank Florin Stefan CIRLOANTA and Adrian Stefan POPESCU for their help in putting this advisory together.
Don’t miss out on exclusive content and exciting announcements!