Patch Tuesday: Microsoft Plugs Exploited MSHTML Zero-Day Hole

Microsoft on Tuesday shipped a major security update to blunt zero-day attacks targeting a gaping hole in its proprietary MSHTML browsing engine.

The patch comes exactly one week after the Redmond, Wash. software giant acknowledged the CVE-2021-40444 security defect and confirmed the existence of in-the-wild exploitation via booby-trapped Microsoft Office documents.

Microsoft did not provide additional details of the live attacks or any indicators of compromise to help defenders hunt for signs of malicious activity.  However, there are enough clues in the attribution section of Microsoft’s bulletin to suggest this is the work of nation-state APT actors.

Microsoft credited four different external researchers with reporting this exploit. Three of the four are affiliated with Mandiant, an anti-malware forensics firm that regularly documents high-end targeted attacks.

Counting this MSHTML vulnerability, there have been 66 documented zero-day attacks so far in 2021. According to data tracked by SecurityWeek, 20 of the 66 zero-days targeted code from Microsoft.

The September batch of patches from Microsoft covers at least 66 documented vulnerabilities in a range of Windows, Office, Edge (Chromium), Windows DNS, SharePoint Server and the Windows Subsystem for Linux.

Microsoft slapped its highest “critical” severity rating on three of the 66 bulletins, urging Windows fleet administrators to prioritize the testing and deployment of those updates.

Security professionals are also calling attention to CVE-2021-36965, a remote code execution issue in the Windows WLAN AutoConfig service.  According to ZDI’s Dustin Childs, this flaw could allow network-adjacent attackers to run their code on affected systems at the SYSTEM level. 

“This means an attacker could completely take over the target – provided they are on an adjacent network. This would be highly useful in a coffee shop scenario where multiple people are using an unsecured WiFi network. Still, this requires no privileges or user interaction, so don’t let the adjacent aspect of this bug diminish the severity.