update from our previous post – Active exploitation of Microsoft vulnerability
Summary
Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.
User interaction is required to exploit this vulnerability, users must first open malicious documents. Microsoft Office handles documents received over the Internet in Protected View or through Application Guard for Office, either can prevent CVE-2021-40444 from being exploited. However, users may click the Enable Editing button, thus disarming Microsoft’s security mechanisms.
Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability, shown as: “Suspicious Cpl File Execution”. Customers who utilise automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments ASAP.
Jisc are not able to carry out Janet wide scans for this vulnerability as it is client based.
Vulnerable versions:
- Microsoft Windows 10 (1607 through 21H1)
- Microsoft Windows 8.1
- Microsoft Windows 7
- Windows Server (2008 R2 through 2022)
- Windows Server (2004 and 20H2)
Recommendation(s):
- Ensure a modern anti-malware solution is deployed to all client devices.
- Ensure anti-malware policies are applied consistently across all client devices.
- Ensure anti-malware solutions (Engines and Definitions) are kept up to date in line with vendor release cycles.
- Ensure a security solution is in place at the corporate mail gateway level, preferably one with sandbox capabilities.
- Raise user awareness with regards to modern cyberthreats, reminding to never open documents from untrusted sources
- Consider disabling ActiveX downloads using the workaround provided by the Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
- Monitor the above MSRC page for updates from Microsoft on this evolving issue