A particularly nasty 0-day was discovered in the wild, CVE-2021-40444, a flaw in how Microsoft’s MSHTML engine handled Office documents. Not all of the details are clear yet, but the result is that opening a office document can trigger a remote code execution. It gets worse, though, because the exploit can work when simply previewing a file in Explorer, making this a potential 0-click exploit. So far the attack has been used against specific targets, but a POC has been published.
It appears that there are multiple tricks that should be discrete CVEs behind the exploit. First, a simple invocation of mshtml:http in an Office document triggers the download and processing of that URL via the Trident engine, AKA our old friend IE. The real juicy problem is that in Trident, an iframe can be constructed with a .cpl URI pointing at an inf or dll file, and that gets executed without any prompt. This is demonstrated here by [Will Dormann]. A patch was included with this month’s roundup of fixes for Patch Tuesday, so make sure to update.
ForcedEntry
Yet another 0-click 0-day, this time in Apple products, CVE-2021-30860 was discovered as part of the NSO Group’s exploit toolkit. Citizen Lab refers to the vulnerability as FORCEDENTRY. It’s a problem in Apple’s image rendering code, that allows a malicious PDF to trigger RCE. Because Apple shares this library across devices, the exploit works on iOS, MacOS, and even watchOS prior to the patch. Bas ..
Support the originator by clicking the read the rest link below.
