Researchers warn that cybercriminals are already sharing tutorials and exploits for the CVE-2021-40444 vulnerability on hacker forums, allowing more hackers to exploit the new vulnerability in their attacks.
Let me remind you that last week Microsoft issued a warning about a new zero-day vulnerability in Microsoft MHTML (aka Trident), the proprietary Internet Explorer browser engine. It has been reported that the issue is already being exploited in real attacks against Office 365 and Office 2019 users on Windows 10, but there is no patch for it yet.
The vulnerability affects Windows Server 2008-2019 and Windows 8.1-10 (8.8 out of 10 on the CVSS scale). Although MHTML was primarily used for the Internet Explorer browser, it is also used in Office applications to render web-based content within Word, Excel, and PowerPoint documents.
As Microsoft representatives explained, using this bug, an attacker can create a malicious ActiveX component that will be used by a Microsoft Office document and processed by MHTML. In fact, the attacker only has to convince the user to open such a malicious file, after which the attack can be considered a success.
Soon after this message from the IT giant, researchers warned that the problem could be more dangerous, since Protected View or Application Guard cannot always protect from its exploitation. In addition, the experts found that the vulnerability can also be exploited using RTF files, which are not protected by Office Protected View at all. We also noticed that the bug can be exploited through document previews.
Although the experts did not disclose the details of the methods used, fearing that they would be used by cybercriminals, the hackers were still able to reproduce the exploits on their own (based on information and samples of malicious documents available on the network). Now criminals are actively sharing detailed tutorials and information with each other on hacker forums, say Bleeping Computer journalists . So, additional instructions for creating payloads and a custom CAB file have already been published.
The information disseminated by cybercriminals is simple and allows anyone to create their own version of the exploit for CVE-2021-40444, including a Python server for distributing malicious documents and CAB files. For example, using this information, journalists were able to recreate the exploit in about 15 minutes, as shown in the video below.
The publication notes that currently Microsoft Defender and other security software can already detect and block malicious documents and CAB files used in attacks. Microsoft representatives, in turn, advised to disable ActiveX controls in Internet Explorer, and information security experts are now talking about the need to disable document preview in Explorer.