On September 7, 2021, Microsoft disclosed a remote code execution vulnerability (CVE-2021-40444) in the Internet Explorer MSHTML browser engine (also known as Trident). As of this publication, threat actors are actively exploiting the flaw using specially crafted Microsoft Office documents.

By convincing a user to open a malicious document that exploits this flaw, a threat actor could execute arbitrary code on the system. The impact depends on the user`s access privileges but could include malware running with the same privileges as the user. The vulnerability affects multiple Microsoft Windows versions from Windows 7 to Windows Server 2022.

Our Security Partner analysis of a malicious document that appears to exploit CVE-2021-40444 and deploy Cobalt Strike as a final payload indicates that the exploit could have been used in the wild since at least August 16. Microsoft Defender Antivirus and Microsoft Defender for Endpoint provide protection for this vulnerability as of build 1.349.22.0.

Recommended actions:

Microsoft states that opening Microsoft Office documents in Protected View or using Application Guard for Office prevents this exploit. A patch is not available as of this publication. We recommend that customers review the Microsoft advisory and apply the mitigation and workaround guidance as appropriate in their environments.

Questions:

If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk

References:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444
https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653
https://support.microsoft.com/en-us/topic/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46