Microsoft has released patches today for a zero-day vulnerability in one of the Windows components that was abused in the wild for attacks using weaponized Office documents.
Tracked as CVE-2021-40444, patches have been made available for Windows versions as far back as Windows 7 and Windows Server 2008.
The bug resides in the Microsoft MHTML component, also known as Trident, the old Internet Explorer browser engine. Microsoft said it discovered instances where a threat actor had created malicious Office files that used the MHTML component to load web-based content inside the documents, such as a malicious ActiveX control, which exploited CVE-2021-40444 to run code on the underlying Windows OS.
A successful attack allowed threat actors to gain control over a user’s OS, Microsoft said last week.
While no technical details were revealed last week, security researchers and malware developers quickly figured out what the issue was and published proof-of-concept code to exploit the bug was eventually on both GitHub and underground hacking forums, and the code has already been weaponized and integrated as part of attacks spotted this week.
A campaign with it today targeting Russian telcos…— alex lanstein (@alex_lanstein) September 13, 2021
Fortunately, today’s Office zero-day patch also comes just in time, as several security researchers discovered last week ways to bypass Microsoft’s temporary mitigation solutions [1, 2], meaning that Windows users were fully exposed to these attacks without any kind of protection.
However, if the patches hold up remains to be seen. Several security researchers have publicly stated that the bug is buried deep enough in core Office behavior that attackers could easily find new ways to abuse this issue, creating another scenario similar to Microsoft’s PrintNightmare never-ending patching conundrum.
But besides fixes for CVE-2021, Microsoft has also released other security updates today, with patches for 85 other bugs, 48 of which are Edge/Chromium-related issues.
Of these, the most important appears to be CVE-2021-36968, an elevation of privilege in the Windows DNS service, for which details have been publicly shared on the internet.
“According to Microsoft, it is not being exploited in the wild,” said Allan Liska, threat intelligence analyst at Recorded Future. “It is labelled Important by Microsoft and, interestingly, only impacts Windows 7 and Windows Server 2008.”
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.