Vulnerability Management, Patch/Configuration Management, Network Security

Attackers exploit MSHTML browser engine via malicious ActiveX controls

Building 92 at Microsoft headquarters in Redmond, Wash. (“File:Building92microsoft.jpg” by Coolcaesar is licensed under CC BY-SA 4.0)

Microsoft on Tuesday released a patch and mitigation instructions for a remote code execution vulnerability in Microsoft's MSHTML browser engine that remote attackers are actively exploiting in the wild.

Also referred to as Trident, MSHTML was developed by Microsoft for the Windows version of Internet Explorer. According to a Microsoft advisory, attackers can exploit the flaw (designated (CVE-2021-40444) by creating a malicious ActiveX control "to be used by a Microsoft Office document that hosts the browser rendering engine." Then the adversaries would use phishing or social engineering tactics to trick users into opening the weaponized doc.

Users with admin rights are especially endangered by the scheme, which the Department of Homeland Security's CISA office also disclosed in an advisory this week.

Jake Williams, co-founder and CTO at BreachQuest, said the impact likely transcends just Microsoft Office.

"MSHTML is a component used by myriad applications on Windows. If you've ever opened an application that seemingly magically knows your proxy settings, that's likely because it uses MSHTML under the hood," said Williams. "The impact is likely to extend beyond MS Office. Vulnerabilities like these tend to have extremely long lifetimes for exploitation in the wild, highlighting the need for security monitoring and periodic threat hunting."

Indeed, "the consistent challenge with client-side vulnerabilities like this one is that there are a lot of systems that need to be patched, which means they stay available for exploitation to attackers for quite some time," said Casey Ellis, founder and CTO at Bugcrowd.

On the plus side, because the vulnerability requires the user to perform an action for the exploit to work, that means there are additional steps the attackers must jump through, and hopefully with good security awareness training, the targets won't fall for the trap. Still, in order to sell the con, "threat actors are likely to target victim organizations with tailored emails or attempt to exploit current news events for a higher success rate" at phishing warned Scott Caveza, research engineering manager at Tenable.

"Do not get socially engineered into clicking on the malicious link or opening the rigged document and you will be OK," said Roger Grimes, data driven defense evangelist at KnowBe4. "But of course, because some percentage of the population will not have heard about this and can be socially engineered, it is best to apply the patch. Especially since it is being detected in the wild already and will likely be used against millions of potential targets."

Other factors in the attackers' factor: "Exploit complexity appears quite low, the impact is very high, and its weaponized form is useful in many different attacks, including the installation of ransomware," Ellis noted.

In its advisory, Microsoft notes that Microsoft Defender Antivirus and Microsoft Defender for Endpoint "both provide detection and protections for the known vulnerability" and recommends that customers "keep anti-malware products up to date. Users who rely on automatic updates will not need to take any additional actions, but those who update manually are advised to deploy the detection build 1.349.22.0 or newer across their environments.

Disabling the installation of all ActiveX controls in Internet Explorer is another option for those looking to mitigate the attack.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.