Software giant Microsoft has identified a remote code execution vulnerability in MSHTML that is affecting Microsoft Windows. It is the latest in a series of attacks targeting Microsoft users.
The threat, CVE-2021-40444 focuses on the MSHTML component of Internet Explorer on Windows 10 and other Windows Server versions. MSHTML, also known as Trident, is the rendering engine for Windows.
While Internet Explorer is due to be retired and declining in popularity, the relevant component is used by other MS Office applications.
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” states a Microsoft security advisory issued on September 7.
“The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
The latest Microsoft vulnerability comes as Australian Parliamentary Joint Committee on Intelligence and Security member Senator Eric Abetz calls for a cybersecurity summit.
“Potentially, in the future, it won’t be bullets fired to force a country to shut down. It will be cybersecurity attacks that can shut down a water supply, a power supply, and neutralise a country. In those circumstances, I think it is worthwhile to continue to remind government and elevate this issue,” he told MySecurity Media on MySecurity TV.
Senator Abetz says there is a cyberattack on an Australian business every ten minutes. These cyberattacks cost the Australian economy $29 billion annually.
“Whilst the Federal Government has done an outstanding job in tandem with the business sector and institutions, the wisdom of holding a cybersecurity summit is as unassailable as it would be beneficial.”
Not everyone agrees. Tim Watts MP, Shadow Assistant Minister for Communications and Cyber Security, says there has been enough talking about cybersecurity.
“That Senator Abetz thinks a summit is necessary demonstrates the Morrison Government’s complete lack of political leadership on cyber security.
“The Morrison Government isn’t short of advice from experts. What’s missing is the delivery on all its cyber security tough talk.
“Experts have been telling the government to tackle the urgent threat of ransomware for months, but still the government hasn’t acted.
“We don’t need more talk on cyber security from the government. We need action.
Any summit would come too late for Microsoft, who confirm a series of targeted attacks are already attempting to exploit the MSHTML vulnerability by using specially crafted Microsoft Office documents.
“In reality, no one has to write code for this; it is already written,” says David Maynor, cybersecurity consultant at SourceSecurity. Calling the code used to exploit the MSHTML vulnerability “robust and weaponised”, Maynor says the malicious code is “just floating around the internet waiting for someone to grab and repurpose.”
While an official fix is yet to be released, Microsoft notes its Defender Antivirus and Microsoft Defender for Endpoint products provide detection and protection against the threats.