cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Warnings issued over Microsoft Windows MSHTML loophole

Microsoft has confirmed that an MSHTML loophole in Microsoft Windows is currently being exploited by threat actors, with the ACSC issuing a high alert warning.

user iconReporter
Wed, 08 Sep 2021
Warnings issued over Microsoft Windows MSHTML loophole
expand image

The Microsoft MSHTML remote code execution vulnerability (CVE-2021-40444), which was flagged by Microsoft on 7 September, is currently present across all Microsoft Windows installations.

According to a statement on the Microsoft website, the company confirmed that threat actors have already begun attempting to leverage the loophole.

“Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,” a Microsoft statement read.


The Australian Cyber Security Centre and Microsoft currently believe that threat actors would execute the breach by using a malicious ActiveX control in a Microsoft Office document, before using the document to then spear phish further victims.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” the statement from Microsoft continued.

“The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Microsoft has confirmed that Microsoft Defender Antivirus and Microsoft Defender for Endpoint offer protection and detection capabilities for the vulnerability.

The company further recommends ensuring that their cyber security software is up-to-date.

“Customers who utilise automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: ‘Suspicious Cpl File Execution’,” Microsoft said.

Microsoft also provided several workarounds to ensure the ongoing protection: “Disabling the installation of all ActiveX controls in Internet Explorer mitigates this attack. This can be accomplished for all sites by updating the registry. Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability.”

[Related: Data from Microsoft Exchange hack to fuel Chinese AI ambitions]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.