Coverage for CVE-2021-40444 - MSHTML Remote Code Execution
Last Modified: 2022-12-19 15:56:51 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Coverage for CVE-2021-40444 - MSHTML Remote Code Execution
Technical Articles ID:
KB94876
Last Modified: 2022-12-19 15:56:51 Etc/GMT Environment
Microsoft Windows operating systems
Summary
Recent updates to this article
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
We're investigating a zero-day exploit, targeting remote code execution out of MSHTML, CVE-2021-40444. Microsoft has reported the usage of this exploit in targeted attacks in the wild. There are several ways for the vulnerability to be leveraged. In one scenario, an attacker must convince a user to download and open a malicious Office document that leverages ActiveX controls within Internet Explorer. By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Word, Excel, and PowerPoint. Both of these mitigations prevent the exploit. More recent testing shows that Preview Mode is a workaround for the user interaction that would normally be required for successful exploitation. For example, if an attacker creates a Rich Text Format (RTF) file, and Preview Mode is enabled, the bug might be triggered without opening the file at all. Disabling Preview Mode in both Windows Explorer and Microsoft Office might be effective here. While current exploits revolve around Microsoft Office Word and RTF files, it’s possible any Office document could be used to trigger the vulnerability. Given that Protected View and Application Guard aren’t supported outside of Word, Excel, or PowerPoint, the only effective mitigation would be to disable ActiveX entirely for Windows. For mitigation and workarounds, see the Microsoft Security Update Guide (CVE-2021-40444). Cause
CVE-2021-40444 relies on a maliciously crafted Microsoft Office document, targeting ActiveX controls in a manner to intentionally invoke remote code execution from MSHTML. While user interaction is required, awareness of the attack details can help administrators in identifying it in their environment. The following indicators-of-compromise (IOCs) have been identified as likely associated with in-the-wild attacks. All known IOCs listed have been validated against the most recent As a best practice, configure repository update tasks with a minimal refresh interval. This practice makes sure that new content is applied when we release it.
Trellix Global Threat Intelligence (GTI) has also categorized network traffic associated with the IOCs. SHA256: Category: Phishing Classification: High Risk hxxp://dodefoh[.]com hxxp://23.106.160[.]25 Category: PUPs (potentially unwanted programs) Classification: Medium Risk Solution
We recommend implementing generic countermeasures against entry-level threats. For more information, see: KB91836 - Countermeasures for entry vector threats. Of the recommended steps outlined in the article, some success has been shown with ENS Exploit Prevention signature "2844: Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability" against known IOCs, although this rule is considered aggressive and might result in false positives. So, you should completely test this recommendation before applying it to production systems. Administrators and analysts can use the following The following ENS Exploit Prevention Expert Rule has been created to provide additional coverage to this threat. This rule has been updated to minimize false positives. But, you should still thoroughly test the rule before applying it to production systems. You can set the suggested rule in report-only mode for testing purposes to check whether it causes any conflict in your environment, and to monitor for the target behavior without blocking. After you determine the rule doesn’t block any activity from legitimate applications, you can set the rule to block and apply the setting to relevant systems. NOTE: The referenced content is available only to logged in ServicePortal users. To view the content, click the link and log in when prompted. HIGH - HTTP: Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444) (0x45299800):Exploit: This alert indicates an attempt to exploit a remote code execution vulnerability in Microsoft Office document. This alert requires the HTTP response feature to be enabled. This attack won’t be detected if HTTP response option is disabled. Further coverage opportunities are currently being evaluated. Related InformationAffected ProductsLanguages:This article is available in the following languages: |
|