A flaw in the MSHTML engine that lets an attacker use a malicious Office document to install malware is currently being used against the energy, industrial, banking, medical tech, and other sectors.
A recently reported security vulnerability in Microsoft’s MSHTML browser engine is being found all over the world, and Kaspersky said it “expects to see an increase in attacks using this vulnerability.”
MSHTML is the under-the-hood browser engine that is found in every single currently available version of Windows, both server and PC. As such, this vulnerability affects everyone with a Windows machine of any kind, meaning this is a serious threat.
To make matters worse, the vulnerability (CVE-2021-40444) is easy to exploit: All an attacker has to do is send a Microsoft Office document to the intended victim that contains a malicious script. Like plenty of other attacks using malicious documents, the victim has to open the document in order to infect their machine with the attacker’s actual payload, which is retrieved by the script in the document. Once downloaded, Kaspersky said that most are using ActiveX controls to perform further malicious actions. In the wild, Kaspersky said, most of the detected attacks install backdoors that give attackers additional access to the infected machine.
SEE: Security incident response policy (TechRepublic Premium)
Kaspersky said that it’s been detecting these kinds of attacks all over the world, and there’s a short list of popular targets that won’t surprise anyone familiar with the usual industries targeted by cybercriminals. Research and development, energy, large industry, banking, medical technology, telecommunications and IT were all listed as being the most commonly attacked, at least by its metrics.
How to avoid falling prey to an MSHTML attack
Luckily for most Windows users, this attack is easy to avoid by following good cybersecurity best practices. Don’t open documents from unknown sources, and be suspicious of unusual attachment names and types, and the type of message that accompanies attachments from known sources.
In addition, Microsoft said that users who don’t have administrative rights on their machines will be much less impacted, so IT teams should focus on those with administrative or power user rights for applying patches and workarounds.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Speaking of which, Microsoft has released security updates that address the MSHTML vulnerability. Because of the ease, widespread nature and potential damage of this exploit, be sure to update all affected systems (which means anything running Windows) as soon as possible.
In situations where updating a Windows system may be difficult, Microsoft has published workarounds that disable ActiveX via group policy, disabled ActiveX with a custom registry key and a Windows Explorer preview disable registry edit that will prevent scripts from being run in without fully opening a document.