Software vendor colossus Microsoft is no stranger to cybersecurity incidents and weaknesses in software code. Recently, there have been several incidents involving everything from misconfigurations leading to data leaks, cloud vulnerabilities leading to exposed customer databases, phishing campaigns targeting Office 365 users, and several other software security flaws and bugs. Of course, for such a gargantuan all-encompassing, multi-faceted giga-corporation, some problems are to be expected at this scale level. The same applies to corporations like Google, in that mistakes and weaknesses must occur when there is so much business throughput.
Adding to that, this year and last year have also seen a notable rise in detected software weaknesses meaning that the industry is, in general, lacking some focus with regards to software development and testing.
Regarding software weaknesses on the news, once again, the latest security agendas reveal another software vulnerability. This is somewhat of a high-profile case that will raise quite a few eyebrows, as the affected software in question is the Microsoft Windows Operating System (OS.) What is particularly worrying in the release reports is that Microsoft also noted a critical vulnerability affecting MSHTML. The reason for the high alert level is that this vulnerability is being exploited in the wild and ascribed as being critical risk.
What is MSHTML?
MSHTML, also known as Trident, is a Microsoft Windows software component. Technically called a ‘layout engine’, its functions are to render web pages within the Microsoft Windows OS. MSHTML is utilized most popularly in Internet Explorer. Although, Microsoft Outlook, Skype, Visual Studio make use of it as well.
MSHTML Remote Code Execution Vulnerability
On September 7th, 2021 Microsoft’s MSRC (Microsoft Security Response Center) publicly announced a high-alert software vulnerability report concerning the MSHTML (Trident) component of Microsoft Windows.
The technical details reveal that the critical vulnerability in question is a Microsoft MSHTML Remote Code Execution Vulnerability (code injection.) The vulnerability (code CVE-2021-40444) allows a remote attacker to execute arbitrary code on the target system. The vulnerability exists due to improper input validation within the MSHTML component. A remote attacker can create a specially crafted Office document with a malicious ActiveX control inside, trick the victim into opening the document and execute arbitrary code on the system. Successful exploitation of this vulnerability may result in the complete compromise of a vulnerable system.
Vulnerable Software Versions
Windows: 8.1, 10, 10 20H2, 10 21H1, 10 1507, 10 1511, 10 1607, 10 1703, 10 1709, 10 1803, 10 1809, 10 1903, 10 1909, 10 2004, 10 Gold, 10 Mobile, 10 S, RT 8.1
Windows Server: 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2019 20H2, 2019 2004
Microsoft Internet Explorer: 11
Important User Information
Users of Microsoft Windows need to know that there is no patch available as of yet, and it is being actively exploited in the wild. According to Microsoft, Defender Antivirus and Microsoft Defender for Endpoint “both provide detection and protections for the known vulnerability.” Microsoft recommends that customers keep their antimalware solutions updated if automatic updates are not enabled already. As for enterprise customers, “Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments.”
For more information on mitigations and workarounds, customers/users should check this page or alternatively contact Microsoft support. Microsoft has credited the following individuals from the security community who are helping to protect customers from vulnerabilities; Rick Cole (MSTIC), Dhanesh Kizhakkinan of Mandiant, Genwei Jiang of Mandiant, Haifei Li of EXPMON, and Bryce Abdo of Mandiant.