Security News > 2021 > September > Windows zero-day MSHTML attack – how not to get booby trapped!
The ActiveX code activates the Windows MSHTML component, used for viewing web pages, exploits a bug in it to give itself the same level of control that you yourself would have right from the Windows desktop, and uses it to implant malware of the attacker's choice.
MSHTML isn't a full-on browser, like Internet Explorer or Edge, but is a part of the operating system that can be used to create browsers or browser-like applications that need or want to display HTML files.
Even though HTML is most closely associated with web browsing, many apps other than browsers find it useful to be able to render and display web content, for example as a convenient and good-looking way to present documentation and help files, or to let users fill in and submit support tickets.
On iOS, interestingly, Apple not only uses WebKit as the core of its own browser, Safari, but also mandates the use of WebKit in browsers or browser-like apps from all other vendors.
Even if there's a bug that they can't quite control closely enough to take over your browser of choice, they may be able to find other applications in which the vulnerability can not only be used to crash the app, but also to exploit it in order to grab control from it and implant malware.
That's what CVE-2021-40444 seems to do, with the attack being delivered via Office files loaded into Word, Excel and so on, rather than by web pages viewed directly in your browser.
News URL
Related news
- Play ransomware exploited Windows logging flaw in zero-day attacks (source)
- Apple fixes two zero-days exploited in targeted iPhone attacks (source)
- Apple plugs zero-day holes used in targeted iPhone attacks (CVE-2025-31200, CVE-2025-31201) (source)
- Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054) (source)
- Apple Patches Two Zero-Days Used in ‘Extremely Sophisticated’ Attacks (source)
- Windows NTLM hash leak flaw exploited in phishing attacks on governments (source)
- Phishing detection is broken: Why most attacks feel like a zero day (source)
- DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks (source)
- SAP fixes suspected Netweaver zero-day exploited in attacks (source)
- Craft CMS RCE exploit chain used in zero-day attacks to steal data (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-09-15 | CVE-2021-40444 | Path Traversal vulnerability in Microsoft products <p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. | 0.0 |