Hsinchu, Taiwan – Sep 15, 2021 – Microsoft published a security report which is named as “Microsoft MSHTML Remote Code Execution Vulnerability” on Sep 7, 2021. This vulnerability is tracked as CVE-2021-40444. It was found in the MSHTML browser rendering engine of Internet Explorer used by Microsoft Office documents.

“MSHTML”, aka “Trident”, is the html rendering engine of Internet Explorer and is also used by Microsoft Office. It is a default component of MS-Windows and unable to be removed. Although the web browser recommended by Microsoft is the Microsoft Edge web browser which used Chromium engine, the same one used by Google Chrome web browser. But the Microsoft Office and Office 365 still use MSHTML engine. The recent versions of MS-Windows still equip with Internet Explorer for compatibility. So all MS-Windows versions contain Internet Explorer are impacted, even Windows 10, whose default web browser is Microsoft Edge. And its “Remote Code Execution” vulnerability allows cyber-criminals to do anything on your PC once they intruded successfully. Therefore CVE-2021-40444 has a severity level of 8.8 out of the maximum 10.

So far, the CVE-2021-40444 is usually adopted in this way - sending specially-crafted Office documents with malicious ActiveX controls to potential victims. According to Fully Weaponized CVE-2021-40444 article, the steps of a CVE-2021-40444 attack are summarized as follows -

  1. Docx opened
  2. Relationship stored in document.xml.rels points to malicious html
  3. IE preview is launched to open the HTML link
  4. JScript within the HTML contains an object pointing to a CAB file, and an iframe pointing to an INF file, prefixed with the “.cpl:” directive
  5. The cab file is opened, the INF file stored in the %TEMP%\Low directory
  6. Due to a Path traversal (ZipSlip) vulnerability in the CAB, it’s possible to store the INF in %TEMP%
  7. Then, the INF file is opened with the “.cpl:” directive, causing the side-loading of the INF file via rundll32 (if this is a DLL)

After Microsoft published “Microsoft MSHTML Remote Code Execution Vulnerability” on Sep 7, Lionic security research team studied this issue immediately and added Cloud AV signatures very soon at 18:00, Sep 7, 2021. Accumulated to Sep/22, Lionic has detected 660 times of CVE-2021-40444 attacks. On Sep 17, the Anti-Intrusion Rules for CVE-2021-40444 are complete and released. All Lionic security technology based network devices can protect users against CVE-2021-40444 in both anti-virus and anti-intrusion features.

Partial list of Cloud Anti-Virus and Anti-Intrusion rules for CVE-2021-40444:

Cloud Anti-Virus Rule ID for CVE-2021-40444 Anti-Intrusion Rule ID for CVE-2021-40444
9265964569974881 8100676
9051876642457946 8100677
9098545007852746 8100680
9184487871880608
9117717123197728
9054432778857215
9257374379053431
9048021420027758
9212208961279316
9157809365004876

Microsoft certainly fixed this vulnerability before publishing this “Microsoft MSHTML Remote Code Execution Vulnerability” security report. All users are strongly suggested to install all the Microsoft patches to avoid CVE-2021-40444 and other vulnerabilities found so far.

Although keeping MS-Windows up-to-date is a good method to avoid CVE-2021-40444, there are still some MS-Windows which are unable to be upgraded easily, for example, those MS-Windows used by factory machines or some limited-resource appliances. Pico-UTM 100, the security filter network bridge developed by Lionic, is the best solution for this situation. Since Pico-UTM used Lionic security technology and can protect factory machine against CVE-2021-40444 in both anti-virus and anti-intrusion features, it is similar to patching the factory machines virtually.

Therefore it is strongly recommended that installing one Pico-UTM for one important appliance, whether in factory or not. If there is large deployment of Pico-UTM in a factory, Lionic also can provide CMS (Central Management System) software for managing large volume of Pico-UTM more efficiently.

References:

  1. Microsoft MSHTML Remote Code Execution Vulnerability, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
  2. Microsoft fixes Windows CVE-2021-40444 MSHTML zero-day bug, https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-cve-2021-40444-mshtml-zero-day-bug/
  3. Microsoft MSHTML CVE-2021-40444 Zero-Day Targets Windows Users, https://www.blumira.com/cve-2021-40444/
  4. Fully Weaponized CVE-2021-40444, https://github.com/klezVirus/CVE-2021-40444

 

About Lionic Corporation

Lionic Corporation is a worldwide provider of innovative Deep Packet Inspection solutions. The technologies of Lionic include the complete DPI-based software engine and related management software which offer the Security Solutions that addresses anti-virus, anti-intrusion, anti-webthreat; and the Content Management Solutions that addresses application identification, device identification, application based QoS, web content filtering, parental control.

Lionic’s security and content management solutions, cloud-based scan services and signature subscription service are widely deployed in the world already. They help service providers, network appliance manufacturers, semiconductor companies, etc. to enable the next generation of business routers, residential gateways, SD WAN edges and cloud gateways, advanced firewalls, UTMs, Smart NICs and mobile devices. Those products powered by Lionic provide better network management and protect the world’s networks from an ever increasing level of security threats.