The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Microsoft Fixes MSHTML Zero Day in Patch Tuesday Update

by Chris Brook on Wednesday September 15, 2021

Contact Us
Free Demo

Microsoft fixed last week's MSHTML zero day - a vulnerability it confirmed was being exploited in the wild - in this month's Patch Tuesday round of updates.

As some expected and many hoped, Microsoft yesterday did push out a fix for CVE-2021-40444, a zero-day remote execution vulnerability in MSHTML that came to light last week.

The company fixed the issue in its monthly round of Patch Tuesday updates, including it in its Monthly Rollups, Security Only, and IE Cumulative updates.

The bug affected MSHTML, the browser engine that Internet Explorer is based on

The company published a workaround - disabling the ActiveX controls in Internet Explorer - and a mitigation - making sure that files are opened in Protected View or Application Guard for Office - last week but they proved less than fruitful when it came to stopping exploits.

While Microsoft traditionally opens documents in read only mode - something which mitigated the exploit - a user could have ignored the warning and clicked through anyways, just as a user could click "Enable Editing" to enable macros and in turn, unleash malware.

If an attacker wanted to, they could have side-stepped Microsoft’s mitigation by triggering the exploit with a RTF file, too, researchers warned last week.

While only Windows Server 2008 through 2019 and Windows 8.1 through 10 were vulnerable, the company still cautioned users about the vulnerability as it was low in complexity and required no privileges to carry out. It’s unclear how widespread the vulnerability was being exploited but researchers did claim last week they saw it being used to drop malicious Cobalt Strike payloads onto victims. After gaining a foothold to victim's machines - Cobalt Strike's payload is a known as a 'Beacon' - the attacker would be able to move laterally through a network and steal files.

The company also used Tuesday to patch another publicly known zero day, CVE-2021-36968, a Windows DNS Elevation of Privilege vulnerability. While technical details of the bug aren’t known, it’s not being actively exploited and as of yesterday, has been fixed.

The vulnerabilities were two of the 66 in total that Microsoft shipped fixes for this week; 86 if you include the 20 issues fixed in Edge earlier this month. According to the Zero Day Initiative, which routinely analyzes updates issued by companies like Microsoft, Adobe, and Apple, only three of the CVEs were critical; 62 were important, and one was rated moderate.

Also fixed in this month's update, after weeks of confusion, was one of the last remaining Print Spooler, aka PrintNightmare vulnerabilities. The bug, CVE-2021-36958, could have let an attacker run arbitrary code with SYSTEM privileges.

Tags: Vulnerabilities

Recommended Resources

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.