Unveiling the Exploitation: Zero-Day Weakness in MSHTML (CVE-2021-40444)

In a recent announcement, Microsoft shed light on a zero-day vulnerability (CVE-2021-40444) discovered in Microsoft MSHTML, which nefarious actors are actively exploiting through Microsoft Office documents.

According to Microsoft, this vulnerability has already been exploited in targeted attacks against users of Microsoft Office. In their attempt to take advantage of this vulnerability, attackers create a document containing a meticulously crafted object. Once a user opens the document, MS Office proceeds to download and execute a malicious script. 

Does Protected View Provide Adequate Defense? 

Although Microsoft claims that Office opens documents from the internet within the protective confines of Protected View or Application Guard for Office, both of which can thwart the current attack, the RTF attack vector remains vulnerable to exploitation. Adversaries can exploit various bypasses for Protected View. Nonetheless, it is crucial for administrators to ensure that Protected View is enabled. Microsoft has offered temporary workarounds to mitigate the issue until an official patch is released. 

These attacks continue to transpire across the globe. We are presently witnessing endeavors to exploit the CVE-2021-40444 vulnerability, targeting companies spanning diverse sectors, including research and development, energy, large-scale industrial enterprises, banking, medical technology development, telecommunications, and the IT sector. 

According to Microsoft, both Microsoft Defender Antivirus and Microsoft Defender for Endpoint can detect malicious files as long as the definitions are kept up-to-date. Organizations relying solely on Microsoft Defender for Endpoint should ensure that their EDR (Endpoint Detection and Response) is set to block mode. 

Technical Insights 

The vulnerability in question, CVE-2021-40444, pertains to remote code execution and was uncovered in MSHTML—the Internet Explorer browser engine. This component is integral to modern Windows systems, encompassing both user and server environments. Moreover, various programs utilize this engine to interact with web content, such as MS Word or MS PowerPoint. 

To exploit the vulnerability, attackers embed a specialized object in a Microsoft Office document, which includes a URL pointing to a malicious script. If a victim opens the document, Microsoft Office retrieves the malevolent script from the URL and executes it using the MSHTML engine. The script can then employ ActiveX controls to carry out malicious actions on the victim's computer. For example, the initial zero-day exploit employed in targeted attacks at the time of discovery utilized ActiveX controls to download and execute a Cobalt Strike payload. Presently, we are observing the delivery of various types of malware, predominantly backdoors, by capitalizing on the CVE-2021-40444 vulnerability. 

Endpoint Detection and Response (EDR)

Within the security center, the presence of the following alert titles can indicate potential threat activity on your network: 

  • Possible exploitation of CVE-2021-40444 (requires Defender Antivirus as the Active AV) Additionally, the following alerts may also indicate threat activity associated with this vulnerability. However, these alerts can also be triggered by unrelated threat activity and are not monitored within the provided status cards in this report. 
  • Suspicious Behavior by Office Application (detects anomalous process launches associated with CVE exploitation and other malicious behavior) 
  • Suspicious use of Control Panel item 


To mitigate the risk, it is advisable to enable cloud-delivered protection to combat rapidly evolving attacker tools and techniques. Cloud-based machine learning protections effectively block the majority of new and unknown variants. Staying up-to-date with the latest Threat Intelligence information is crucial to remain informed about the Tactics, Techniques, and Procedures (TTPs) employed by threat actors. 

Businesses should adopt a comprehensive security solution that incorporates vulnerability management, patch management, and exploit prevention components. For instance, the Automatic Exploit Prevention component in Kaspersky Endpoint Security for Business effectively monitors suspicious activities within applications and prevents the execution of malicious files. [Text Wrapping Break][Text Wrapping Break]Solutions like Ultraviolet Cyber MDR-as-a-service and our customized Built to Suit Services can assist in early detection and prevention of attacks before the perpetrators achieve their ultimate objectives. The Ultraviolet Cyber teams provide invaluable support in pre-implementation discovery, planning, design activities, and execution using the "Outcome-based - Built to Suit Services" model. 

Preventing Exploits with Ultraviolet Cyber's Endpoint Security 

At Ultraviolet Cyber, we employ distinct methodologies to assist our customers in securing their organizations. Our endpoint security solutions encompass data security, network security, advanced threat prevention, forensics, endpoint detection and response (EDR), and remote access VPN solutions. In addition to incident response, vulnerability management, and various other security services, we offer threat hunting capabilities that expose Advanced Persistent Threats (APTs) and potential risks. Our machine-learning classification enables the near real-time detection of zero-day threats. 

Our centralized endpoint management platform provides enhanced visibility and simplifies operations. We urge administrators to conduct an enterprise-wide IoC (Indicators of Compromise) sweep to determine if their organizations have been targeted. Ultraviolet Cyber is well aware of targeted attacks exploiting CVE-2021-40444, and our products are designed to counter such attacks. On September 7, 2021, Microsoft shared a partial workaround for this flaw, and within a mere 24 hours, an upsurge in exploitation attempts was observed. Since an official patch is yet to be released and bypasses exist for existing mitigations, enterprise defenders must remain vigilant and proactively hunt for threats within their networks. 

Frequently Asked Questions

Zero-day vulnerabilities are software security flaws unknown to the vendor and the public. Cybercriminals exploit these vulnerabilities before developers can release patches or updates, making them particularly dangerous. Organizations must be vigilant and proactive in their cybersecurity efforts to defend against potential attacks exploiting zero-day vulnerabilities.

One of the most prominent examples of a zero-day attack is the Stuxnet worm, discovered in 2010. It targeted Iran's nuclear facilities, exploiting multiple zero-day vulnerabilities in Windows and Siemens industrial control systems. Stuxnet showcased the potential of sophisticated cyberweapons and highlighted the significance of zero-day vulnerabilities in cyber warfare.

Microsoft employs several strategies to protect against zero-day attacks. These include:

  1. Timely Patching: Releasing security updates and patches to address vulnerabilities as soon as they are discovered.
  2. Exploit Mitigations: Incorporating features like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) to make exploitation harder.
  3. Bug Bounty Programs: Encouraging researchers to report vulnerabilities for rewards, enabling faster detection and mitigation.