The National Coordination Center for Computer Incidents (NKTsKI, created by order of the FSB leadership) warned of a zero-day vulnerability in Microsoft software. As Interfax reports with reference to NKTsKI, cybercriminals are actively using a vulnerability in Microsoft MSHTML when injecting various malicious software.
All major versions of Windows in use today – Windows 10, Windows 8.1 and Windows 7, as well as Microsoft Windows Server versions 2008, 2012, 2016, 2019, 2022 – are susceptible to attacks.
According to NKTsKI experts, the lack of fixes for this vulnerability (in the Microsoft database it was registered on September 7 with the CVE-2021-40444 identifier) by the Windows developer creates the preconditions for mass infection of the software users of the American company. For example, cybercriminals tried to deliver the Cobalt Strike malware through it during targeted attacks. In 2016, it was used for a series of attacks on Russian banks.
Last week, Kaspersky Lab specialists wrote about the situation with CVE-2021-40444. They clarified that the vulnerability works through ActiveX controls embedded in Microsoft Office documents – they use the engine of the outdated Internet Explorer 11 browser to display web content.
If the user, having opened the file prepared and sent by the cybercriminals, takes due care and does not disable protection (it is disabled by clicking the “Allow editing” button), then nothing bad will happen. Moreover, as specified on the Microsoft website, attacks using this vulnerability are successfully detected and neutralized by the standard free Windows Defender antivirus.
Microsoft said it is conducting an investigation into the identified vulnerability and, upon completion, will release a security patch if necessary. The closest date when it can become available is next Tuesday, September 14th.
Previously, a serious vulnerability in Microsoft software could lead to data leakage of users of the Azure cloud service. In late August, thousands of Microsoft Azure customers received warning letters from the corporation: it turns out that attackers could theoretically read, change or delete their main databases.