Hsinchu, Taiwan – Sep 15, 2021 – Microsoft published a security report which is named as “Microsoft MSHTML Remote Code Execution Vulnerability” on Sep 7, 2021. This vulnerability is tracked as CVE-2021-40444. It was found in the MSHTML browser rendering engine of Internet Explorer used by Microsoft Office documents.

“MSHTML”, aka “Trident”, is the html rendering engine of Internet Explorer and is also used by Microsoft Office. It is a default component of MS-Windows and unable to be removed. Although the web browser recommended by Microsoft is the Microsoft Edge web browser which used Chromium engine, the same one used by Google Chrome web browser. But the Microsoft Office and Office 365 still use MSHTML engine. The recent versions of MS-Windows still equip with Internet Explorer for compatibility. So all MS-Windows versions contain Internet Explorer are impacted, even Windows 10, whose default web browser is Microsoft Edge. And its “Remote Code Execution” vulnerability allows cyber-criminals to do anything on your PC once they intruded successfully. Therefore CVE-2021-40444 has a severity level of 8.8 out of the maximum 10.

So far, the CVE-2021-40444 is usually adopted in this way - sending specially-crafted Office documents with malicious ActiveX controls to potential victims. According to Fully Weaponized CVE-2021-40444 article, the steps of a CVE-2021-40444 attack are summarized as follows -

1. Docx opened
2. Relationship stored in document.xml.rels points to malicious html
3. IE preview is launched to open the HTML link
4. JScript within the HTML contains an object pointing to a CAB file, and an iframe pointing to an INF file, prefixed with the “.cpl:” directive
5. The cab file is opened, the INF file stored in the %TEMP%\Low directory
6. Due to a Path traversal (ZipSlip) vulnerability in the CAB, it’s possible to store the INF in %TEMP%
7. Then, the INF file is opened with the “.cpl:” directive, causing the side-loading of the INF file via rundll32 (if this is a DLL)

After Microsoft published “Microsoft MSHTML Remote Code Execution Vulnerability” on Sep 7, Lionic security research team studied this issue immediately and added Cloud AV signatures very soon at 18:00, Sep 7, 2021. Accumulated to Sep/22, Lionic has detected 660 times of CVE-2021-40444 attacks. On Sep 17, the Anti-Intrusion Rules for CVE-2021-40444 are complete and released. All Lionic security technology based network devices can protect users against CVE-2021-40444 in both anti-virus and anti-intrusion features.

Partial list of Cloud Anti-Virus and Anti-Intrusion rules for CVE-2021-40444:

Microsoft certainly fixed this vulnerability before publishing this “Microsoft MSHTML Remote Code Execution Vulnerability” security report. All users are strongly suggested to install all the Microsoft patches to avoid CVE-2021-40444 and other vulnerabilities found so far.

Although keeping MS-Windows up-to-date is a good method to avoid CVE-2021-40444, there are still some MS-Windows which are unable to be upgraded easily, for example, those MS-Windows used by factory machines or some limited-resource appliances. Pico-UTM 100, the security filter network bridge developed by Lionic, is the best solution for this situation. Since Pico-UTM used Lionic security technology and can protect factory machine against CVE-2021-40444 in both anti-virus and anti-intrusion features, it is similar to patching the factory machines virtually.

Therefore it is strongly recommended that installing one Pico-UTM for one important appliance, whether in factory or not. If there is large deployment of Pico-UTM in a factory, Lionic also can provide CMS (Central Management System) software for managing large volume of Pico-UTM more efficiently.

References:

1. Microsoft MSHTML Remote Code Execution Vulnerability, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
2. Microsoft fixes Windows CVE-2021-40444 MSHTML zero-day bug, https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-cve-2021-40444-mshtml-zero-day-bug/
3. Microsoft MSHTML CVE-2021-40444 Zero-Day Targets Windows Users, https://www.blumira.com/cve-2021-40444/
4. Fully Weaponized CVE-2021-40444, https://github.com/klezVirus/CVE-2021-40444