As some expected and many hoped, Microsoft yesterday did push out a fix for CVE-2021-40444, a zero-day remote execution vulnerability in MSHTML that came to light last week.
The company fixed the issue in its monthly round of Patch Tuesday updates, including it in its Monthly Rollups, Security Only, and IE Cumulative updates.
The bug affected MSHTML, the browser engine that Internet Explorer is based on
The company published a workaround - disabling the ActiveX controls in Internet Explorer - and a mitigation - making sure that files are opened in Protected View or Application Guard for Office - last week but they proved less than fruitful when it came to stopping exploits.
While Microsoft traditionally opens documents in read only mode - something which mitigated the exploit - a user could have ignored the warning and clicked through anyways, just as a user could click "Enable Editing" to enable macros and in turn, unleash malware.
If an attacker wanted to, they could have side-stepped Microsoft’s mitigation by triggering the exploit with a RTF file, too, researchers warned last week.
While only Windows Server 2008 through 2019 and Windows 8.1 through 10 were vulnerable, the company still cautioned users about the vulnerability as it was low in complexity and required no privileges to carry out. It’s unclear how widespread the vulnerability was being exploited but researchers did claim last week they saw it being used to drop malicious Cobalt Strike payloads onto victims. After gaining a foothold to victim's machines - Cobalt Strike's payload is a known as a 'Beacon' - the attacker would be able to move laterally through a network and steal files.
The company also used Tuesday to patch another publicly known zero day, CVE-2021-36968, a Windows DNS Elevation of Privilege vulnerability. While technical details of the bug aren’t known, it’s not being actively exploited and as of yesterday, has been fixed.
The vulnerabilities were two of the 66 in total that Microsoft shipped fixes for this week; 86 if you include the 20 issues fixed in Edge earlier this month. According to the Zero Day Initiative, which routinely analyzes updates issued by companies like Microsoft, Adobe, and Apple, only three of the CVEs were critical; 62 were important, and one was rated moderate.
Also fixed in this month's update, after weeks of confusion, was one of the last remaining Print Spooler, aka PrintNightmare vulnerabilities. The bug, CVE-2021-36958, could have let an attacker run arbitrary code with SYSTEM privileges.
