IT Professionals:
The University Information Security Office would like to make you aware of the following:
Background
On September 7, 2021, Microsoft released information about a MSHTML Remote Code Execution vulnerability, CVE-2021-40444 [1], affecting Microsoft Office documents. Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.
Impact
An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. In a real-world scenario these attacks happen via phishing, when a user opens documents they received via email or were convinced to download, which then triggers the vulnerability. Users performing their day-to-day work as a non-privileged could be less impacted than users who operate with accounts.
Platforms affected
All versions of Windows, including workstation and server versions
Local observations
The UISO has not observed local attacks exploiting this vulnerability.
UISO recommendations:
Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. UISO strongly encourages ITPros to keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”. If this kind of alert is seen in your environment, please notify it-incident@iu.edu.
Lastly, users are strongly encouraged not to open any documents that they were not expecting.
Workarounds
The workaround provided by Microsoft have already been subverted; no known workaround exists [2].
–IT Community Partnerships on behalf of the University Information Security Office
Further reading
[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444