JPCERT-AT-2021-0038
JPCERT/CC
2021-09-09(Initial)
2021-09-15(Update)
Microsoft
Microsoft MSHTML Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
Microsoft has announced that it has confirmed an attack using Microsoft Office file that exploits this vulnerability. In the future, attacks using Microsoft Office files that exploit this vulnerability may increase. The users of the affected products are recommended to consider applying the workaround, and also apply security program for this vulnerability as soon as it becomes available.
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
- Windows Server 2008
- Windows Server, version 20H2
- Windows Server, version 2004
- Windows 10
- Windows RT 8.1
- Windows 8.1
- Windows 7
Microsoft
What is Protected View?
https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653
Microsoft
Application Guard for Office
https://support.microsoft.com/en-us/topic/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46
Microsoft
Microsoft MSHTML Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
If you have any information regarding this alert, please contact JPCERT/CC.
2021-09-10 Updated "I. Overview" and "IV. Workarounds"
2021-09-15 Updated "III. Solution"
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/
JPCERT/CC
2021-09-09(Initial)
2021-09-15(Update)
I. Overview
On September 7, 2021 (US Time), Microsoft released a security advisory regarding the vulnerability (CVE-2021-40444) in Microsoft MSHTML.A remote attacker leveraging this vulnerability may be able to execute arbitrary code by using specially-crafted Microsoft Office documents.Microsoft
Microsoft MSHTML Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
Microsoft has announced that it has confirmed an attack using Microsoft Office file that exploits this vulnerability. In the future, attacks using Microsoft Office files that exploit this vulnerability may increase. The users of the affected products are recommended to consider applying the workaround, and also apply security program for this vulnerability as soon as it becomes available.
Update: September 10, 2021 Update
On September 9, 2021 (US time), Microsoft released additional information about a workaround for the vulnerability. Regarding this vulnerability, we recommend to continue paying close attention to the information released by Microsoft and others, and consider applying necessary workarounds. Also, be careful not to open untrusted Microsoft Office documents and files.
II. Affected Products and Versions
The following versions are affected by this vulnerability. For the latest information and details, please refer to the information provided by Microsoft.- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2
- Windows Server 2008
- Windows Server, version 20H2
- Windows Server, version 2004
- Windows 10
- Windows RT 8.1
- Windows 8.1
- Windows 7
III. Solution
As of September 9, 2021, Microsoft has not released an update that addresses the vulnerability. We recommend to pay close attention to the information provided by Microsoft and take the measures as soon as the information on the countermeasure is released.Update: September 15, 2021 Update
On September 14, 2021 (US time), Microsoft released the security update for the vulnerability. Please consider applying update as soon as possible by referring to the information provided by Microsoft.
CVE-2021-40444
Microsoft MSHTML Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
CVE-2021-40444
Microsoft MSHTML Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
IV. Workarounds
As a workaround for the vulnerability, Microsoft has shown how to change the registry settings to disable the installation of all ActiveX controls in Internet Explorer. Please refer to the Microsoft information and consider applying the workaround.Update: September 10, 2021 Update
On September 9, 2021 (US time), Microsoft released additional information about a workaround for this vulnerability. In addition to how to apply the workaround in Group Policy, it shows how to disable file preview in Windows Explorer.
V. Mitigations
Microsoft introduced the "Protected View" and "Application Guard for Office" of Microsoft Office.Microsoft
What is Protected View?
https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653
Microsoft
Application Guard for Office
https://support.microsoft.com/en-us/topic/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46
VI. References
Microsoft
Microsoft MSHTML Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
If you have any information regarding this alert, please contact JPCERT/CC.
Revision History
2021-09-09 First edition2021-09-10 Updated "I. Overview" and "IV. Workarounds"
2021-09-15 Updated "III. Solution"
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/