Security Experts:

Patch Tuesday: Microsoft Plugs Exploited MSHTML Zero-Day Hole

Microsoft on Tuesday shipped a major security update to blunt zero-day attacks targeting a gaping hole in its proprietary MSHTML browsing engine.

The patch comes exactly one week after the Redmond, Wash. software giant acknowledged the CVE-2021-40444 security defect and confirmed the existence of in-the-wild exploitation via booby-trapped Microsoft Office documents.

Microsoft did not provide additional details of the live attacks or any indicators of compromise to help defenders hunt for signs of malicious activity.  However, there are enough clues in the attribution section of Microsoft’s bulletin to suggest this is the work of nation-state APT actors.

Microsoft credited four different external researchers with reporting this exploit. Three of the four are affiliated with Mandiant, an anti-malware forensics firm that regularly documents high-end targeted attacks.

Counting this MSHTML vulnerability, there have been 66 documented zero-day attacks so far in 2021. According to data tracked by SecurityWeek, 20 of the 66 zero-days targeted code from Microsoft.

[READ: Microsoft Office Zero-Day Hit in Targeted Attacks ]

The September batch of patches from Microsoft covers at least 66 documented vulnerabilities in a range of Windows, Office, Edge (Chromium), Windows DNS, SharePoint Server and the Windows Subsystem for Linux.

Microsoft slapped its highest “critical” severity rating on three of the 66 bulletins, urging Windows fleet administrators to prioritize the testing and deployment of those updates.

Security professionals are also calling attention to CVE-2021-36965, a remote code execution issue in the Windows WLAN AutoConfig service.  According to ZDI’s Dustin Childs, this flaw could allow network adjacent attackers to run their code on affected systems at SYSTEM level. 

“This means an attacker could completely take over the target – provided they are on an adjacent network. This would be highly useful in a coffee shop scenario where multiple people are using an unsecured WiFi network. Still, this requires no privileges or user interaction, so don’t let the adjacent aspect of this bug diminish the severity. Definitely test and deploy this patch quickly,” Childs said in a blog post summarizing the Patch Tuesday bulletins.

Microsoft’s Patch Tuesday comes on the heels of Google and Apple responding separately to zero-day exploitation on its iOS, macOS and Chrome platforms.

On Monday this week, Apple pushed out an iOS and macOS patch to address gaping security holes, which Google shipped an advisory of its own to warn of a pair of already-exploited flaws in its desktop Chrome browser.

The new Google Chrome 93.0.4577.82, available for Windows, macOS and Linux users, fixes at least nine documented security defects, all carrying a “high-severity” rating.

Related: Apple Ships Urgent Patch for FORCEDENTRY Zero-Days 

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days

Related: Microsoft Raises Alarm for New Windows Zero-Day Attacks

Related: Apple Patches 'Actively Exploited' Mac, iOS Security Flaw

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.