近日,国家信息安全漏洞库(CNNVD)收到关于Microsoft MSHTML.DLL 代码注入漏洞(CNNVD-202109-350、CVE-2021-40444)情况的报送。成功利用漏洞的攻击者能够在目标系统执行恶意代码,最终控制目标系统。微软多个操作系统均受此漏洞影响。目前,微软官方暂未发布漏洞修复补丁,但发布了临时缓解措施缓解漏洞带来的危害,请用户及时确认是否受到漏洞影响,尽快采取修补措施。
一、漏洞介绍
Microsoft MSHTML.DLL是美国微软(Microsoft)公司的一个用于解析HTML语言的动态链接库,IE、Outlook、Outlook Express等应用程序都使用了该动态链接库。远程攻击者可以创建带有恶意ActiveX控件的特制Office文档,诱使受害者打开文档并在系统上执行任意代码。
二、危害影响
成功利用漏洞的攻击者能够在目标系统执行恶意代码,最终控制目标系统。微软Windows 7、Windows 8、Windows 10、Windows Server 2008、Windows Server 2012、Windows Server 2016、Windows Server 2019等42个操作系统版本均受此漏洞影响。具体如下:
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version 2004 (Server Core installation)
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
三、修复建议
目前,微软官方暂未发布漏洞修复补丁,但发布了临时缓解措施缓解漏洞带来的危害,请用户及时确认是否受到漏洞影响,尽快采取修补措施。官方链接如下:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
本通报由CNNVD技术支撑单位——网神信息技术(北京)股份有限公司、深信服科技股份有限公司、杭州安恒信息技术股份有限公司、北京天融信网络安全技术有限公司、北京鸿腾智能科技有限公司、内蒙古洞明科技有限公司、铱迅安全应急响应中心、新华三技术有限公司提供支持。
CNNVD将继续跟踪上述漏洞的相关情况,及时发布相关信息。如有需要,可与CNNVD联系。联系方式: cnnvdvul@itsec.gov.cn