Microsoft identified attacks targeting a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Active attacks make use of a Microsoft Word document that refers to a remote template file that includes malicious content to download a .cpl file and ultimately execute a DLL file that uses a .inf file extension. Following the announcement, The Cybersecurity and Infrastructure Security Agency (CISA) also encouraged users and organizations to review Microsoft’s mitigations and workarounds to address CVE-2021-40444. The Microsoft stated anyone who uses Defender Antivirus and Defender for Endpoint and enables automatic updates is safe from the vulnerability. The alerts in Microsoft Defender will show up as “Suspicious Cpl File Execution.”
Analyst Notes
Threat hunters should consider searching for Microsoft Word running Control.exe as a child process as an indication of this attack. Microsoft added that Microsoft Office opens documents from the internet in Protected View or Application Guard for Office by default, both of which prevent the current attack. Microsoft also suggested disabling the installation of all ActiveX controls in Internet Explorer. View the full release with mitigations and workarounds here. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
https://www.zdnet.com/article/microsoft-cisa-urge-use-of-mitigations-and-workarounds-for-office-document-vulnerability/
