Solved

CVE-2021-40444 - Microsoft MSHTML Remote Code Execution Vulnerability

  • 8 September 2021
  • 3 replies
  • 525 views

Microsoft recently disclosed information on CVE-2021-40444, in their post they note that “Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability.” However, there hasn’t been any information published by Webroot yet. You would think Microsoft would share some information with their partners BEFORE notifying the public… 

 

Does anyone know if Webroot is protecting against this threat? 

 

Regards,

icon

Best answer by TylerM 8 September 2021, 21:58

Webroot is not able to prevent this exploit, but we would be able to block and stop the malicious payloads that are dropped on a system breached by this - which usually ransomware, botnets, or cryptominers. By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack. This specific attack still relies on a user having active X enabled, and having to convince the user to open the documents. It’s very similar to convincing users to to “enable content” in their office documents. 

Our training modules for employees educate around documents that are malicious (macros), and modules for admins educate to limit permissions  that aren’t needed for the average user. This will insulate from the risks of most of the exploits that are revealed what seems like every day now. 

The only way to fix this Operating System Exploit is through Microsoft as bugs in their code is source of the exploit. As long as you have your windows OS set to perform updates automatically it should patch this. 

View original

3 replies

Userlevel 7
Badge +63

@TylerM is the best person to answer this type of question.

Userlevel 7
Badge +15

Webroot is not able to prevent this exploit, but we would be able to block and stop the malicious payloads that are dropped on a system breached by this - which usually ransomware, botnets, or cryptominers. By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack. This specific attack still relies on a user having active X enabled, and having to convince the user to open the documents. It’s very similar to convincing users to to “enable content” in their office documents. 

Our training modules for employees educate around documents that are malicious (macros), and modules for admins educate to limit permissions  that aren’t needed for the average user. This will insulate from the risks of most of the exploits that are revealed what seems like every day now. 

The only way to fix this Operating System Exploit is through Microsoft as bugs in their code is source of the exploit. As long as you have your windows OS set to perform updates automatically it should patch this. 

Userlevel 7
Badge +63

Thanks Tyler I couldn’t of said it better. :thumbsup_tone1:

Reply