UPDATE: On September 14, 2021, Microsoft updated their advisory page on the CVE-2021-40444 vulnerability announcing there is now a patch for all versions of Windows for the vulnerability. The UISO strongly recommends for everyone to install the latest patches for their version of Windows as soon as possible. If you need to manually download and install this patch, check the Security Updates table at the bottom of advisory page on the CVE-2021-40444 vulnerability for links to the Microsoft Update Catalog.
Background
On September 7, 2021, Microsoft released information about a MSHTML Remote Code Execution vulnerability, CVE-2021-40444 [1], affecting Microsoft Office documents. Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.
Impact
An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. In a real-world scenario these attacks happen via phishing, when a user opens documents they received via email or were convinced to download, which then triggers the vulnerability. Users performing their day-to-day work as a non-privileged user could be less impacted than users who operate with privileged accounts.
Platforms affected
All versions of Windows, including workstation and server versions.
Local observations
The UISO has not observed local attacks exploiting this vulnerability.
UISO recommendations
UPDATE: There is now a patch for this vulnerability for all versions of Windows. Ensure all devices running Windows are fully patched. If a patch is not available for the version of Windows running on your device or a delay in patching is required, continue to follow the recommendations below.
Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. UISO strongly encourages ITPros to keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”. If this kind of alert is seen in your environment, please notify it-incident@iu.edu.
Lastly, users are strongly encouraged not to open any documents that they were not expecting.
Workarounds
The workaround provided by Microsoft have already been subverted; no known workaround exists [2].
Further reading
[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444