CVE-2021-40444

What is Microsoft MSHTML?

MSHTML (also known as the Trident rendering engine) is Microsoft's HTML rendering engine, originally developed for Internet Explorer. Despite IE's decline, MSHTML remains embedded in Windows and is used by various components including Microsoft Office for rendering web content within documents (HTML email, OLE objects in Word/Excel, etc.). Office applications use MSHTML to process embedded web objects in documents — this deep integration between Office document parsing and the web rendering engine creates a significant attack surface because a malicious document can cause Office to invoke MSHTML to process attacker-controlled web content, triggering any vulnerabilities in the rendering engine or its handling of embedded objects.

Overview

CVE-2021-40444 is a remote code execution vulnerability in Microsoft's MSHTML engine, exploited as a zero-day in targeted attacks beginning in August 2021, weeks before Microsoft patched it in September 2021 Patch Tuesday. The attack uses a specially crafted Office document (typically a .docx file) containing an OLE object that causes Microsoft Word to invoke MSHTML to load a remote HTML file. The HTML file triggers MSHTML to download and process a malicious ActiveX control packaged in a .cab file from an attacker-controlled server. When the ActiveX control installs from the .cab, it executes arbitrary code on the victim's system. The Scope: Changed rating reflects that the exploit crosses security boundaries — from the Office application context into the broader OS.

The zero-day was used in targeted attacks against specific organizations before Microsoft published their security advisory on September 7, 2021. Public proof-of-concept code began circulating after the patch, leading to widespread exploitation by ransomware operators and other threat actors.

Affected Versions

Technical Details

• Root cause: Microsoft MSHTML fails to properly validate the path used when extracting and loading an ActiveX control from a .cab file fetched via a remote URL — a path traversal (CWE-22) condition allows the extracted DLL to be placed and loaded in an attacker-chosen location
• Attack chain:
  1. Victim receives a malicious .docx via email or download
  2. Opening the .docx triggers Word to process an embedded OLE object pointing to a remote URL (attacker-controlled)
  3. MSHTML fetches the remote URL, which serves an HTML file containing an <object> element referencing a .cab file
  4. MSHTML downloads the .cab file and extracts it, loading the contained ActiveX DLL
  5. The ActiveX DLL executes as arbitrary code in the context of the Word process
• Scope: Changed: Code execution escapes the confines of the Office sandbox and affects the broader OS
• User interaction: The victim must open the malicious .docx file (UI:R) — typically delivered via spear-phishing email
• Pre-patch mitigation: Before the September 2021 patch, Microsoft recommended disabling ActiveX controls in Internet Explorer to break the attack chain
• Post-patch exploitation: After the patch and PoC publication, the attack technique was adapted by ransomware groups who used it against organizations with unpatched systems

Discovery

First observed in targeted attacks in August 2021. Multiple security firms identified samples before Microsoft's public advisory. EXPMON researchers reported the zero-day to Microsoft. Microsoft's September 7, 2021 advisory (before the patch) confirmed active exploitation and provided interim mitigations.

Exploitation Context

CVE-2021-40444 attracted significant attention because it required only opening a .docx file — no macros, no "Enable Content" required. The attack worked even in Protected View in some configurations, making it particularly dangerous as a phishing payload. Initial exploitation was targeted (specific industries and geographies). After the September 7, 2021 advisory made the technique public, exploitation broadened significantly. By the time CISA added it to KEV in November 2021, ransomware operators had incorporated it into initial access toolkits. The ransomwareUse flag reflects confirmed ransomware deployment via this vulnerability.

Remediation

1. Apply September 2021 cumulative update for Windows (KB5005565 for Windows 10 21H1 or equivalent) and the September 2021 Office update
2. Disable ActiveX controls in Internet Explorer zone settings as an additional mitigation (Group Policy: Computer Configuration → Windows Settings → Internet Explorer → Security Zones → Disable ActiveX controls in Internet Zone)
3. Enable Attack Surface Reduction rule: "Block all Office applications from creating child processes" to prevent the document → MSHTML → code execution chain
4. Configure Microsoft Defender for Office 365 Safe Attachments to scan .docx and .rtf files before delivery
5. Deploy network controls to block outbound HTTP/HTTPS connections from Office applications to untrusted internet hosts (application-layer filtering)