Hsinchu, Taiwan – Sep 15, 2021 – Microsoft published a security report which is named as “Microsoft MSHTML Remote Code Execution Vulnerability” on Sep 7, 2021. This vulnerability is tracked as CVE-2021-40444. It was found in the MSHTML browser rendering engine of Internet Explorer used by Microsoft Office documents.
“MSHTML”, aka “Trident”, is the html rendering engine of Internet Explorer and is also used by Microsoft Office. It is a default component of MS-Windows and unable to be removed. Although the web browser recommended by Microsoft is the Microsoft Edge web browser which used Chromium engine, the same one used by Google Chrome web browser. But the Microsoft Office and Office 365 still use MSHTML engine. The recent versions of MS-Windows still equip with Internet Explorer for compatibility. So all MS-Windows versions contain Internet Explorer are impacted, even Windows 10, whose default web browser is Microsoft Edge. And its “Remote Code Execution” vulnerability allows cyber-criminals to do anything on your PC once they intruded successfully. Therefore CVE-2021-40444 has a severity level of 8.8 out of the maximum 10.
So far, the CVE-2021-40444 is usually adopted in this way - sending specially-crafted Office documents with malicious ActiveX controls to potential victims. According to Fully Weaponized CVE-2021-40444 article, the steps of a CVE-2021-40444 attack are summarized as follows -
- Docx opened
- Relationship stored in document.xml.rels points to malicious html
- IE preview is launched to open the HTML link
- JScript within the HTML contains an object pointing to a CAB file, and an iframe pointing to an INF file, prefixed with the “.cpl:” directive
- The cab file is opened, the INF file stored in the %TEMP%\Low directory
- Due to a Path traversal (ZipSlip) vulnerability in the CAB, it’s possible to store the INF in %TEMP%
- Then, the INF file is opened with the “.cpl:” directive, causing the side-loading of the INF file via rundll32 (if this is a DLL)
After Microsoft published “Microsoft MSHTML Remote Code Execution Vulnerability” on Sep 7, Lionic security research team studied this issue immediately and added Cloud AV signatures very soon at 18:00, Sep 7, 2021. Accumulated to Sep/22, Lionic has detected 660 times of CVE-2021-40444 attacks. On Sep 17, the Anti-Intrusion Rules for CVE-2021-40444 are complete and released. All Lionic security technology based network devices can protect users against CVE-2021-40444 in both anti-virus and anti-intrusion features.
Partial list of Cloud Anti-Virus and Anti-Intrusion rules for CVE-2021-40444:
Cloud Anti-Virus Rule ID for CVE-2021-40444 | Anti-Intrusion Rule ID for CVE-2021-40444 |
---|---|
9265964569974881 | 8100676 |
9051876642457946 | 8100677 |
9098545007852746 | 8100680 |
9184487871880608 | … |
9117717123197728 | |
9054432778857215 | |
9257374379053431 | |
9048021420027758 | |
9212208961279316 | |
9157809365004876 | |
… |
Microsoft certainly fixed this vulnerability before publishing this “Microsoft MSHTML Remote Code Execution Vulnerability” security report. All users are strongly suggested to install all the Microsoft patches to avoid CVE-2021-40444 and other vulnerabilities found so far.
Although keeping MS-Windows up-to-date is a good method to avoid CVE-2021-40444, there are still some MS-Windows which are unable to be upgraded easily, for example, those MS-Windows used by factory machines or some limited-resource appliances. Pico-UTM 100, the security filter network bridge developed by Lionic, is the best solution for this situation. Since Pico-UTM used Lionic security technology and can protect factory machine against CVE-2021-40444 in both anti-virus and anti-intrusion features, it is similar to patching the factory machines virtually.
Therefore it is strongly recommended that installing one Pico-UTM for one important appliance, whether in factory or not. If there is large deployment of Pico-UTM in a factory, Lionic also can provide CMS (Central Management System) software for managing large volume of Pico-UTM more efficiently.
References:
- Microsoft MSHTML Remote Code Execution Vulnerability, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
- Microsoft fixes Windows CVE-2021-40444 MSHTML zero-day bug, https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-cve-2021-40444-mshtml-zero-day-bug/
- Microsoft MSHTML CVE-2021-40444 Zero-Day Targets Windows Users, https://www.blumira.com/cve-2021-40444/
- Fully Weaponized CVE-2021-40444, https://github.com/klezVirus/CVE-2021-40444
關於Lionic Corporation
Lionic Corporation是創新的「深層數據包檢測」解決方案的全球供應商。 Lionic的技術包括完整的基於DPI的軟件引擎和相關的管理軟件,這些軟件提供可解決防病毒,防入侵,防網絡威脅的「安全解決方案」。 以及「內容管理解決方案」,用於解決應用程序標識,設備標識,基於應用程序的QoS,Web內容過濾,家長控制。
Lionic的安全和內容管理解決方案,基於雲的掃描服務和簽名訂閱服務已經在世界範圍內廣泛部署, 他們幫助服務供應商,網絡設備製造商,半導體公司等,以實現下一代家用商業路由器網關,SD WAN邊緣和雲網關,高級防火牆,UTM,智慧網卡和移動設備。 那些由Lionic支持的產品可提供更好的網絡管理和保護全球網絡免受不斷增加的安全威脅。