Microsoft Patch Tuesday fixes CVE-2021-40444 MSHTML zero-day

Microsoft Patch Tuesday security updates for September 2021 addressed a high severity zero-day flaw actively exploited in targeted attacks.

Microsoft Patch Tuesday security updates for September 2021 addressed a high severity zero-day RCE actively exploited in targeted attacks aimed at Microsoft Office and Office 365 on Windows 10 computers.

The flaw, tracked as CVE-2021-40444, resides in the MSHTML, which is the main HTML component of the Windows Internet Explorer browser, it is also used in other applications.

Last week, Microsoft warned of a zero-day vulnerability (CVE-2021-40444) in Internet Explorer that is actively exploited by threat actors to hijack vulnerable Windows systems. At the time, Microsoft did not share info about the attacks either the nature of the threat actors.

The vulnerability was exploited by threat actors in malspam attacks spreading weaponized Office docs.

“This patch fixes a bug currently being exploited via Office documents. A specially crafted ActiveX control is embedded in an Office doc then sent to a target. If opened on an affected system, code executes at the level of the logged-on user. Microsoft lists disabling ActiveX as a workaround, but other reports state this may be ineffective. As of now, the most effective defense is to apply the patch and avoid Office docs you aren’t expecting to receive.” reads the post published by ZDI. “There are multiple updates for specific platforms, so be sure to carefully review and install all needed patches to ensure you are covered.”

The flaw was reported by Mandiant researchers Bryce Abdo, Dhanesh Kizhakkinan and Genwei Jiang, and Haifei Li from EXPMON. EXPMON researchers defined the attack exploiting the CVE-2021-40444 flaw as a highly sophisticated zero-day attack against Microsoft Office users.

“Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately.” reads update to the advisory published by Microsoft.

This month, Microsoft addressed a total of 66 CVEs in Microsoft Windows and Windows components, Microsoft Edge (Chromium, iOS, and Android), Azure, Office and Office Components, SharePoint Server, Microsoft Windows DNS, and the Windows Subsystem for Linux.

Three of the flaws fixed by Microsoft are rated Critical, the other two critical issues are a Windows WLAN AutoConfig Service Remote Code Execution Vulnerability (CVE-2021-36965) and an Open Management Infrastructure Remote Code Execution Vulnerability (CVE-2021-38647).

Other 62 flaws are rated Important, and only one is rated Moderate in severity.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Patch Tuesday)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.