Microsoft Patch Tuesday security updates for September 2021 addressed a high severity zero-day RCE actively exploited in targeted attacks aimed at Microsoft Office and Office 365 on Windows 10 computers.
The flaw, tracked as CVE-2021-40444, resides in the MSHTML, which is the main HTML component of the Windows Internet Explorer browser, it is also used in other applications.
Last week, Microsoft warned of a zero-day vulnerability (CVE-2021-40444) in Internet Explorer that is actively exploited by threat actors to hijack vulnerable Windows systems. At the time, Microsoft did not share info about the attacks either the nature of the threat actors.
The vulnerability was exploited by threat actors in malspam attacks spreading weaponized Office docs.
“This patch fixes a bug currently being exploited via Office documents. A specially crafted ActiveX control is embedded in an Office doc then sent to a target. If opened on an affected system, code executes at the level of the logged-on user. Microsoft lists disabling ActiveX as a workaround, but other reports state this may be ineffective. As of now, the most effective defense is to apply the patch and avoid Office docs you aren’t expecting to receive.” reads the post published by ZDI. “There are multiple updates for specific platforms, so be sure to carefully review and install all needed patches to ensure you are covered.”
The flaw was reported by Mandiant researchers Bryce Abdo, Dhanesh Kizhakkinan and Genwei Jiang, and Haifei Li from EXPMON. EXPMON researchers defined the attack exploiting the CVE-2021-40444 flaw as a highly sophisticated zero-day attack against Microsoft Office users.
“Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately.” reads update to the advisory published by Microsoft.
This month, Microsoft addressed a total of 66 CVEs in Microsoft Windows and Windows components, Microsoft Edge (Chromium, iOS, and Android), Azure, Office and Office Components, SharePoint Server, Microsoft Windows DNS, and the Windows Subsystem for Linux.
Three of the flaws fixed by Microsoft are rated Critical, the other two critical issues are a Windows WLAN AutoConfig Service Remote Code Execution Vulnerability (CVE-2021-36965) and an Open Management Infrastructure Remote Code Execution Vulnerability (CVE-2021-38647).
Other 62 flaws are rated Important, and only one is rated Moderate in severity.
(SecurityAffairs – hacking, Microsoft Patch Tuesday)