Microsoft fixes Windows CVE-2021-40444 MSHTML zero-day bug – BleepingComputer

Free REvil ransomware master decrypter released for past victims
Microsoft: Windows MSHTML bug now exploited by ransomware gangs
MikroTik shares info on securing routers hit by massive Mēris botnet
Microsoft fixes critical bugs in secretly installed Azure Linux app
Microsoft rolls out Office LTSC 2021 for Windows and Mac
FBI and CISA warn of state hackers exploiting critical Zoho bug
New malware uses Windows Subsystem for Linux for stealthy attacks
FBI: $113 million lost to online romance scams this year
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Microsoft fixes Windows CVE-2021-40444 MSHTML zero-day bug
Microsoft today fixed a high severity zero-day vulnerability actively exploited in targeted attacks against Microsoft Office and Office 365 on Windows 10 computers.
The remote code execution (RCE) security flaw, tracked as CVE-2021-40444, was found in the MSHTML Internet Explorer browser rendering engine used by Microsoft Office documents.
According to Microsoft, CVE-2021-40444 impacts Windows Server 2008 through 2019 and Windows 8.1 or later, and it has a severity level of 8.8 out of the maximum 10.
“Microsoft has released security updates to address this vulnerability,” the company said today in an advisory update published as part of this month’s Patch Tuesday.
“Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately.”
The targeted attacks detected by Microsoft tried to exploit the vulnerability by sending specially-crafted Office documents with malicious ActiveX controls to potential victims.
Luckily, these attacks were thwarted if Microsoft Office ran with the default configuration, which opens untrusted documents in Protected View mode (or with Application Guard for Office 365 customers).
However, as CERT/CC vulnerability analyst Will Dormann later told BleepingComputer, this built-in protection against CVE-2021-40444 exploits would likely be bypassed either by users ignoring Protected View warnings or by attackers delivering the malicious documents bundled within 7Zip archives or ISO containers.
If the document is in a container that is processed by something that is not MotW-aware, then the fact that the container was downloaded from the Internet will be moot. For example, if 7Zip opens an archive that came from the Internet, the extracted contents will have no indication that it came from the Internet. So no MotW, no Protected View.
Similarly, if the document is in a container like an ISO file, a Windows user can simply double-click on the ISO to open it. But Windows doesn’t treat the contents as having come from the Internet. So again, no MotW, no Protected View.
This attack is more dangerous than macros because any organization that has chosen to disable or otherwise limit Macro execution will still be open to arbitrary code execution simply as the result of opening an Office document. – Will Dormann
Furthermore, Dormann also found that threat actors could exploit this vulnerability using maliciously-crafted RTF files, which don’t benefit from Office’s Protected View security feature.
Today’s security updates address the vulnerability for all affected versions of Windows and include a Monthly Rollup, a Security Only update, and an Internet Explorer cumulative update.
“Customers running Windows 8.1, Windows Server 2012 R2, or Windows Server 2012 can apply either the Monthly Rollup or both the Security Only and the IE Cumulative updates,” according to Microsoft.
“The Monthly Rollup for Windows 7, Windows Server 2008 R2, and Windows Server 2008 includes the update for this vulnerability. Customers who apply the Monthly Rollup do not need to apply the IE Cumulative update.
“Customers who only apply Security Only updates need to also apply the IE Cumulative update to be protected from this vulnerability.”
BleepingComputer independently confirmed that known CVE-2021-40444 exploits no longer work after applying today’s patches.
Those who cannot immediately apply today’s security updates should implement Microsoft’s workarounds (disabling ActiveX controls via Group Policy and preview in Windows Explorer) to reduce the attack surface.
Microsoft: Windows MSHTML bug now exploited by ransomware gangs
Microsoft shares temp fix for ongoing Office 365 zero-day attacks
New Windows security updates break network printing
Windows MSHTML zero-day exploits shared on hacking forums
Fortinet delays patching zero-day allowing remote server takeover
Not a member yet? Register Now
Ransomware encrypts South Africa’s entire Dept of Justice network
Microsoft fixes remaining Windows PrintNightmare vulnerabilities
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.