Zero-Day Exploitshigh

MSHTML Zero-Day: Nation-States Weaponise Office Documents with No Macros Required

CVE-2021-40444, a zero-day in Windows' MSHTML (Trident) rendering engine, allowed arbitrary code execution from a specially crafted Office document without requiring macros — bypassing a primary defence against malicious Office files.

Microsoft MSHTML / Government Targets·2021·2 min read

Background

Microsoft Office documents with macros had long been the primary delivery mechanism for malware. Organisations had deployed policies to disable macros as a key defensive measure. CVE-2021-40444 exploited the MSHTML component used to render web content embedded in Office documents without any macros.

The Attack

The zero-day exploited Office's ActiveX control rendering via MSHTML: a Word or RTF document could embed a link to a malicious ActiveX control, which MSHTML would load and execute when the document was opened — even with macros disabled. The exploit was used in targeted attacks against government agencies, universities, and defence contractors before Microsoft patched it. Because it bypassed macro policies, it was particularly dangerous for organisations that had invested in macro-disabling as their primary Office security control.

Response

Microsoft released patches on September 14, 2021, after the zero-day was being exploited in the wild. In parallel, Microsoft pushed a policy to disable ActiveX content in documents from the internet via Mark of the Web — a significant architectural change. CISA issued advisories to federal agencies.

Outcome

The zero-day demonstrated that macro-disabling alone is insufficient as an Office security strategy. Microsoft's subsequent changes to block internet-origin VBA macros by default (2022) and to deprecate MSHTML in Office were driven in part by the accumulation of vulnerabilities like this one.

Key Takeaways

  1. Macro policies alone are insufficient defence against Office document exploitation — apply Protected View and disable ActiveX
  2. Mark of the Web and Protected View provide important sandboxing for documents from internet or email sources
  3. Multi-layer document security (Protected View + macro controls + EDR) is required for defence in depth
  4. Zero-days exploiting legitimate Office features (rendering, ActiveX) are particularly hard to mitigate with policy controls alone
MSHTMLActiveXOffice zero-dayno-macro exploitWindows

More in Zero-Day Exploits

2021critical

Log4Shell: A Single Java Library Puts 3 Billion Devices at Risk

2 min readZero-Day Exploits
2023critical

MOVEit Zero-Day: One SQL Injection Flaw, 2,700 Organisations Breached

2 min readZero-Day Exploits
2010critical

Operation Aurora IE Zero-Day: China Exploits Browser Flaw to Hack Google and 34 Others

2 min readZero-Day Exploits