Details are scarce so far, but Microsoft is warning Office users about a bug that’s dubbed CVE-2021-40444, and described as Microsoft MSHTML Remote Code Execution Vulnerability.
The bug doesn’t have a patch yet, so it’s what’s known as a zero-day, shorthand for “the Good Guys were zero days ahead of the Bad Guys with a patch for this vulnerability.”
In other words: the crooks got there first.
As far as we can tell, the treachery works like this:
- You open a booby-trapped Office file from the internet, either via an email attachment or by downloading a document from a criminal-controlled web link.
- The document includes an ActiveX control (embedded add-on code) that ought not to have unrestricted access to your computer.
- The ActiveX code activates the Windows MSHTML component, used for viewing web pages, exploits a bug in it to give itself the same level of control that you yourself would have right from the Windows desktop, and uses it to implant malware of the attacker’s choice.
MSHTML isn’t a full-on browser, like Internet Explorer or Edge, but is a part of the operating system that can be used to create browsers or browser-like applications that need or want to display HTML files.
Even though HTML is most closely associated with web browsing, many apps other than browsers find it useful to be able to render and display web content, for example as a convenient and good-looking way to present documentation and help files, or to let users fill in and submit support tickets.
This “stripped down minibrowser” concept can be found not only on Windows but also on Google’s Android and Apple’s iOS, where the components Blink and WebKit respectively provide the same sort of functionality as MSHTML on Microsoft platforms. Mozilla products such as Firefox and Thunderbird are based on a similar idea, known as Gecko. On iOS, interestingly, Apple not only uses WebKit as the core of its own browser, Safari, but also mandates the use of WebKit in browsers or browser-like apps from all other vendors. That’s why Firefox on iOS is the only version of that product that doesn’t include Gecko – it has no choice but to use WebKit instead.
HTML isn’t just for browsing
What this means is that HTML rendering bugs don’t just affect your browser and your browsing activity, and therefore there may be many different ways than just sending you a dodgy web link for cybercriminals to poke a virtual stick into buggy web rendering code, and thereby to probe for exploits.
Even if there’s a bug that they can’t quite control closely enough to take over your browser of choice, they may be able to find other applications in which the vulnerability can not only be used to crash the app, but also to exploit it in order to grab control from it and implant malware.
That’s what CVE-2021-40444 seems to do, with the attack being delivered via Office files loaded into Word, Excel and so on, rather than by web pages viewed directly in your browser.
What to do?
- Avoid opening documents you weren’t expecting. Don’t be tempted to look at content just because an email or a document happens to align with your interests, your line of work, or your current research. That doesn’t prove that the sender actually knows you, or that they can be trusted in any way – that information is probably publicly available via your work website or your own social media posts.
- Don’t be tempted to break out of Office Protected View. By default, Office documents received via the internet (whether by email or web) open in a way that prevents active content such as Visual Basic macros and ActiveX controls from running. If you see a yellow bar at the top of the page, warning you that potentially dangerous parts of the document were not activated, resist clicking the
[Enable Editing]
button, especially if the text of the document itself “advises” you to! - Consider enforcing Protected View permanently for all external content. System administrators can enforce network-wide settings that prevent anyone from using the
[Enable Editing]
option to escape from Protected View in Office. Ideally, you should never need to trust so-called active content in external documents, and you sidestep a wide range of attacks if you prevent this happening altogether. - Disable ActiveX controls that use the MSHTML web renderer. Sysadmins can enforce this with a network-wide registry setting that stops ActiveX controls that arrive in new documents from working at all, regardless of whether the document is opened in Protected View or not. This workaround specifically prevents the CVE-2021-40444 vulnerability from being exploited.
- Keep your eyes peeled for a patch from Microsoft. Next Tuesday (2021-09-14) is the September 2021 Patch Tuesday date; let’s hope Microsoft gets a full-blown fix ready by or before then!