Security Advisory Regarding Remote Code Execution in MSHTML
Summary of Vulnerability
On September 7th, a security advisory from Microsoft regarding a remote code execution in MSHTML was published by MSRC. According to the advisory, the vulnerability relies on specially crafted Microsoft Office documents in order to be exploited. Since the announcement, there have been a few proof of concept exploits released. Additionally, active malware campaigns have been observed utilizing this vulnerability.
If you’re interested in an analysis of the vulnerability, this blog post by Ret2pwn is one of the better explanations I’ve found.
Known Attack Vectors
The primary method of exploiting this vulnerability is likely to be in the form of phishing attacks and/or social engineering using crafted Microsoft Office documents.
One of the best defenses against phishing is user awareness and engagement with your user community.
- Advise co-workers to be wary of opening email attachments from untrusted sources.
- If members of your organization regularly work with email attachments containing Microsoft Office documents, teach them to trust but verify that the sender of an attachment was actually the one who sent it.
- In the worst-case scenario, inform users to contact your security operations or IT helpdesk team if they received a suspicious document and/or encountered unusual activity on their systems afterward.
Detection and Mitigation
As of today, September 13th, no patch has been made public to counter this vulnerability. However, several mitigations have been recommended:
- According to the MSRC security advisory, disabling the installation of both signed and/or unsigned ActiveX controls prevents the vulnerability from being triggered.
- Additionally, disabling Windows Explorer shell preview for Office documents is another work-around that MSRC recommends. Be aware that the MSRC security advisory to disable shell preview has registry work-arounds that specifically target .docx and .rtf files, but it has been confirmed that this vulnerability can be triggered from PowerPoint files. Additionally, recent research seems to indicate that this vulnerability can be triggered from Internet Explorer as well.
A security researcher by the name of Rich Warren from NCC group released a YARA rule that can be used to detect documents attempting to exploit this vulnerability.
About Hurricane Labs
Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.
For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.