Zero-Day MSHTML Flaw in Microsoft Windows
A remote code execution vulnerability in MSHTML is being actively exploited in targeted attacks. MSHTML, also known as Trident, is the proprietary browser engine for the Windows version of Internet Explorer. Microsoft has not yet released a patch but has published mitigations for the vulnerability.
For now, follow Microsoft's advice on how to disable ActiveX, but realize the mitigation may not be perfect. Microsoft's workaround prevents the installation of new ActiveX controls, but an attacker may be able to use existing controls. Similarly, the protected view warnings appear to be easily bypassed. Let's hope we will get a patch for this on Tuesday, but until then, the only thing we've got protecting us is vigilant users.
Trident is the embedded browser rendering HTML content within Office documents. By default, documents opened from the Internet are opened in protected mode or application guard and cannot execute the exploit. A user needs to be tricked into both opening the document and trusting it (disabling those protections); a key mitigation still requires user caution when opening Internet-provided documents. Microsoft’s Defender and Defender for Endpoint will detect and prevent this exploit. Verify your endpoint protection service does as well.
Zero-days and breaches are inevitable. While prevention is a goal, detection and response is the reality. Focus on detecting things like Microsoft Word spawning other processes that are not normal.
Read more in
Dark Reading: Microsoft Windows Zero-Day Under Attack
KrebsOnSecurity: Microsoft: Attackers Exploiting Windows Zero-Day Flaw
Gov Infosecurity: Zero-Day Attacks Exploit MSHTML Flaw in Microsoft Windows