2021 has been record-breaking year for cybercrime and it shows no signs of slowing down. This month another company fell victim to a cyberattack, this time in the form of a zero-day exploit. On Tuesday, September 7, Microsoft discovered a zero-day vulnerability in its MSHTML Platform, referred to as CVE-2021-40444. This highly sophisticated form of attack sent security teams and individuals scrambling to mitigate the issue until a patch was officially released on September 14 during Patch Tuesday. In this post we’ll walk through what a zero-day threat is, what happened in this exploit and how to safeguard your data against similar attacks.
What is a Zero-Day Exploit?
A zero-day exploit is an advanced form of cyber-attack used to attack systems with a previously unknown security flaw. In other words, it’s when hackers take advantage of a vulnerable system that hasn’t been patched, putting user data at high risk. What does the term zero-day mean? Zero-day gets its name from a newly discovered software flaw that a developer just became aware of, meaning they had zero days to fix it before the bad guys showed up to wreak havoc. This form of attack is considered dangerous because users can go weeks or months without realizing their software is open to attack by cybercriminals. Once a flaw is discovered, a patch must be developed to block the vulnerability.
What Happened During the Windows MSHTML Zero-Day Exploit?
Last week, Microsoft announced a newly discovered security flaw known as the Windows MSHTML Remote Code Execution Vulnerability CVE-2021-40444. During this exploit, cybercriminals used phishing attacks to send malicious Word documents to compromise victims’ computers. Once the file was downloaded, it opened the door for hackers to gain remote access to devices, steal files and remotely control a user’s computer. Ultimately, this allowed hackers a way to spread deeper into a compromised network as they searched for sensitive data and other valuable assets. The exploit was crafted through malicious ActiveX controls, part of Microsoft’s software framework that allows applications to share information through web browsers – similar to a web browser plug-in. When a weaponized Word document successfully loaded, cybercriminals used the ActiveX controls to download malware, giving them unrestricted access to a user’s computer. The CVE-2021-40444 vulnerability in Microsoft Hypertext Markup Language (MSHTML) browser engine was widespread and affected familiar programs such as Skype and Microsoft Outlook.
Here’s a look at how the attack unraveled:
- Users open and download on the malicious Word document.
- The weaponized document contained a specially crafted ActiveX control that enabled cybercriminals to gain unrestricted access to the victim’s computer.
- Then the ActiveX code triggered the Microsoft Hypertext Markup Language (MSHTML) browser engine on the compromised device, allowing hackers to gain full access and install the malware of their choice.
How Can You Safeguard Your Data?
The most important and impactful way to prevent this type of attack is to NEVER open a suspicious or untrusted document. Fortunately, both Microsoft Defender Antivirus and Microsoft Defender for Endpoint were able to detect and provide a layer of protection during this incident. Even better news came this week when a patch was released during Microsoft’s September 2021 Patch Tuesday cycle. While a patch helps block security bugs, you can’t rely on them solely to keep your systems secure. Below are seven additional ways to keep your data safe:
- Keep all devices and software up to date with the latest security patches to reduce vulnerabilities.
- Only use necessary software applications and avoid running ones you don’t use.
- Always use a firewall to protect your system against threats.
- Educate users on cyber security best practices — many cyberattacks can be traced back to human error.
- Use a trusted antivirus software solution to block potential threats.
- Don’t open or download files that look suspicious or that you weren’t expecting.
- Always use Office Protected View and disable ActiveX controls that use MSHTML.
Once considered rare, zero-days are gaining more traction in the IT landscape. In fact, industry projections estimate zero-day exploits will triple this year, surpassing all previous years. An even more unsettling study revealed zero-day malware made up 74% of detected threats at the start of this year. Even though cybercriminals are becoming bolder and more sophisticated in their attacks, there are many ways you can protect your most valued assets. By staying alert and practicing good digital hygiene, you’ll be on your way to maximizing your security and protecting your assets from cybercriminals.