Connect with us

Hi, what are you looking for?


Application Security

Patch Tuesday: Microsoft Plugs Exploited MSHTML Zero-Day Hole

Microsoft on Tuesday shipped a major security update to blunt zero-day attacks targeting a gaping hole in its proprietary MSHTML browsing engine.

Microsoft on Tuesday shipped a major security update to blunt zero-day attacks targeting a gaping hole in its proprietary MSHTML browsing engine.

The patch comes exactly one week after the Redmond, Wash. software giant acknowledged the CVE-2021-40444 security defect and confirmed the existence of in-the-wild exploitation via booby-trapped Microsoft Office documents.

Microsoft did not provide additional details of the live attacks or any indicators of compromise to help defenders hunt for signs of malicious activity.  However, there are enough clues in the attribution section of Microsoft’s bulletin to suggest this is the work of nation-state APT actors.

Microsoft credited four different external researchers with reporting this exploit. Three of the four are affiliated with Mandiant, an anti-malware forensics firm that regularly documents high-end targeted attacks.

Counting this MSHTML vulnerability, there have been 66 documented zero-day attacks so far in 2021. According to data tracked by SecurityWeek, 20 of the 66 zero-days targeted code from Microsoft.

[READ: Microsoft Office Zero-Day Hit in Targeted Attacks ]

The September batch of patches from Microsoft covers at least 66 documented vulnerabilities in a range of Windows, Office, Edge (Chromium), Windows DNS, SharePoint Server and the Windows Subsystem for Linux.

Advertisement. Scroll to continue reading.

Microsoft slapped its highest “critical” severity rating on three of the 66 bulletins, urging Windows fleet administrators to prioritize the testing and deployment of those updates.

Security professionals are also calling attention to CVE-2021-36965, a remote code execution issue in the Windows WLAN AutoConfig service.  According to ZDI’s Dustin Childs, this flaw could allow network adjacent attackers to run their code on affected systems at SYSTEM level. 

“This means an attacker could completely take over the target – provided they are on an adjacent network. This would be highly useful in a coffee shop scenario where multiple people are using an unsecured WiFi network. Still, this requires no privileges or user interaction, so don’t let the adjacent aspect of this bug diminish the severity. Definitely test and deploy this patch quickly,” Childs said in a blog post summarizing the Patch Tuesday bulletins.

Microsoft’s Patch Tuesday comes on the heels of Google and Apple responding separately to zero-day exploitation on its iOS, macOS and Chrome platforms.

On Monday this week, Apple pushed out an iOS and macOS patch to address gaping security holes, which Google shipped an advisory of its own to warn of a pair of already-exploited flaws in its desktop Chrome browser.

The new Google Chrome 93.0.4577.82, available for Windows, macOS and Linux users, fixes at least nine documented security defects, all carrying a “high-severity” rating.

Related: Apple Ships Urgent Patch for FORCEDENTRY Zero-Days 

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days

Related: Microsoft Raises Alarm for New Windows Zero-Day Attacks

Related: Apple Patches ‘Actively Exploited’ Mac, iOS Security Flaw

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...