Back to board Open MSRC
MSRC compact vulnerability detail

CVE-2021-40444 · Microsoft MSHTML Remote Code Execution Vulnerability

Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”. Upon completion of this investigation, Microsoft will take the appropriate a...

Severity
n/a
Impact
n/a
CVSS
8.8 base · 7.9 temporal
Release
2021-09-07
Signals
Windows MSHTML Platform Unknown impact Exploited: Yes Publicly disclosed: Yes Exploitability: Exploitation Detected
CWE
No CWE data published.
Patch Diff
Loading module diff metadata...
Resolved binary override
Use this when the MSRC module name cannot be mapped automatically or the resolved binary looks wrong.
Old version New version
Description
Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”. Upon completion of this investigation, Microsoft will take the appropriate a...
FAQ / Articles
Mitigation
By default, Microsoft Office opens documents from the internet in Protected View or in Application Guard for Office, both of which prevent the current attack. For information about Protected View, see What is Protected View?. For information about Application Guard for Office, see Application Guard for Office. Customers of Microsoft Defender for Endpoint can enable attack surface reduction rule "BlockOfficeCreateProcessRule" that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy. For more information see Use attack surface reduction rules to prevent malware infection.
Workaround
Disabling the installation of all ActiveX controls in Internet Explorer mitigates this attack. This can be accomplished for all sites by configuring the Group Policy using your Local Group Policy Editor or by updating the registry. Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability. To disable ActiveX controls via Group Policy In Group Policy settings, navigate to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page For each zone: Select the zone (Internet Zone, Intranet Zone, Local Machine Zone, or Trusted Sites Zone). Double-click Download signed ActiveX controls and Enable the policy. Then set the option in the policy to Disable. Double-click Download unsigned ActiveX controls and Enable the policy. Then set the option in the policy to Disable. We recommend applying this setting to all zones to fully protect your system. Impact of workaround. This sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) for all internet zones for 64-bit and 32-bit processes. New ActiveX controls wi...
FAQ
There are three updates listed in the Security Updates table for Windows 8.1, Windows Server 2012 R2, and Windows Server 2012. Which updates do I need to apply to my system to be protected from this vulnerability? Customers running Windows 8.1, Windows Server 2012 R2, or Windows Server 2012 can apply either the Monthly Rollup or both the Security Only and the IE Cumulative updates. I am running Windows 7, Windows Server 2008 R2, or Windows Server 2008. Do I need to apply both the Monthly Rollup and the IE Cumulative updates? The Monthly Rollup for Windows 7, Windows Server 2008 R2, and Windows Server 2008 includes the update for this vulnerability. Customers who apply the Monthly Rollup do not need to apply the IE Cumulative update. Customers who only apply Security Only updates need to also apply the IE Cumulative update to be protected from this vulnerability.