A new Windows vulnerablity actively exploited using phishing attacks

Author: Harsh Panchal

Early this month Microsoft has published a note on a critical vulnerability that allows attackers to fully gain access to the user device. Just by opening a simple Microsoft Office document without having macro-enabled, the attacker can have full access to the user system. This vulnerability is known as MSHTML remote code execution and CVE-2021-40444.

Attackers and security researchers are taking advantage of this vulnerability to gain access to the end-user device without getting detected by the antivirus and anti-malware solutions. Microsoft has warned the community and all users as they have still not published any official security patch for this vulnerability. All Windows 10 versions and some Windows Servers are targeted using this vulnerability.

This exploit renders the Active X engine that has been used in the Microsoft Operating system. Furthermore, this is not only working on Internet Explorer but it works with Microsoft Office products as well. Here is the attack chain that has been provided by Microsoft.

Microsoft has not officially released any security patch for this vulnerability as it is still under-investigated. However, they have published a workaround mitigation guide that can help you to protect your business against such attacks. Please note that applying this workaround will impact the ability of printing services on Windows devices therefore, you won't be able to print certain documents because they rely on Active X controls. Alternatively, if you have enabled the attack surface reduction rules on your Microsoft environment then this attack will not be impacted by this exploit.

If you are using SentinelOne as your Antivirus defence then you can also mitigate and capture this vulnerability using the rules and policy and also mitigate and remediate the attack with just a click of a button. For more details please contact our support team at hello@techforce.co.uk.