FortiGuard Labs Threat Research

Microsoft MSHTML Remote Code Execution Vulnerability Exploited in the Wild (CVE-2021-40444)

By Val Saengphaibul | September 09, 2021

FortiGuard Labs Threat Research Report

On September 7, 2021, Microsoft disclosed an active in-the-wild attack affecting Microsoft Windows. This vulnerability, CVE-2020-40444, is a remote code execution vulnerability in MSHTML. It does not currently have a patch, MSHTML is also referred to as Trident, is a legacy proprietary browser engine specific to Internet Explorer and Windows platforms. In-the-wild attacks on targets were observed to be using specially crafted malicious Microsoft Office documents. Like most such attacks, targets have to be compelled or lured to open the malicious document for it to run successfully. 

This blog provides information on the vulnerability, how the attack works, and Fortinet product protections in place to address this vulnerability. Additional information can be found in the Threat Signal published by FortiGuard Labs on September 7.

Technical Overview of Microsoft MSHTML Remote Code Execution Vulnerability 

According to Microsoft, "An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine." The threat actor uses a specially crafted Office file that uses the Internet Explorer engine to render a predetermined web page that the threat actor has crafted or compromised. However, for an attacker to successfully leverage this vulnerability, the target must be socially engineered into opening the maliciously crafted Office file that uses an ActiveX control to download a seperate malicious payload. The threat is then executed using CPL file execution to complete its task. CPL file execution uses a control panel wherein a CPL file exports a function called a CPLApplet that Windows recognizes as a control panel application.

What makes this vulnerability unique is the usage of legacy applications that exist in Microsoft Windows. Internet Explorer and ActiveX have been part of the Microsoft Windows platform for over three decades. First introduced in 1996 alongside Internet Explorer 3.0, ActiveX enables interactions between Internet Explorer and the host operating system. Because of the privileges provided to ActiveX, malicious ActiveX controls can have access to critical information, such as keystrokes and sensitive system data. Although deprecated, Windows 10 and Microsoft Office still support ActiveX controls as many organizations depend on this technology. 

To complicate matters further, Microsoft ended all Internet Explorer and ActiveX support on August 31, 2020. Internet Explorer is expected to be officially retired on June 15, 2022, and will not be included in Windows 11. There has been no official announcement regarding the inclusion of ActiveX in Windows 11.

Fortinet Protections

  • FortiGuard Labs has AV coverage in place for known malicious file samples as:

JS/Agent.NKE!tr (definitions version 88.00961)
MSOFFICE/Agent.DHY!tr (definitions version 88.00961)
W64/Agent.ASO!tr (definitions version 88.00798)
MSOffice/Agent.d455!tr.dldr (definitions version 88.00961)
MSOffice/Agent.CNG!tr.dldr (definitions version 88.00961)

  • The WebFiltering client blocks all known network IOCs.
  • For FortiEDR, all known samples have been added to our cloud intelligence and will be blocked if executed.
  • For IPS protection, FortiGuard Labs has IPS coverage in place for this vulnerability as: MS.Office.MSHTML.Remote.Code.Execution

FortiGuard Content, Disarm, and Reconstruction (CDR) can protect users from this attack by enabling the following option:

Enable/disable stripping of linked objects in Microsoft Office documents.

Regarding mitigation, FortiGuard Labs recommends disabling all ActiveX controls in Microsoft Internet Explorer, which will address this issue. This can be performed by editing the registry. Specific details on how to perform these edits have been included in the related Microsoft advisory. Please note that this should be done carefully, as incorrectly editing the registry can cause severe operating system issues.

Because it has been observed that this threat is using phishing techniques to deliver malicious office documents, it is important to address these challenges.  This requires selecting and implementing a Secure Email Gateway that can not only see and effectively stop threats, but easily integrate into a larger security strategy. The AAA rated FortiMail fully integrates into the Fortinet Security Fabric, enabling organizations to deploy FortiMail as part of a complete end-to-end security solution.

Organizations are also strongly encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. This should include encouraging employees to never open attachments from someone they don't know and always treat emails from unrecognized/untrusted senders with caution. 

Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, end-users within an organization must be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates originating from an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links can also help prevent initial access into the network.

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.

Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio.