Microsoft lists the vulnerability as CVE-2021-40444 with the following description: “An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” Trident or MSHTML is Microsoft’s own browser engine that underpins Internet Explorer. It was released in 1997 with the launch of IE 4. Amazingly, because many organizations still rely on Internet Explorer, the nearly 25 year old Trident is still in use. Microsoft continues to offer maintenance and patches for MSHTML running on IE 11. Of course, the company has since moved onto Microsoft Edge for modern browsing. Because it is very much a legacy service, Internet Explorer is a frequent and easier target for cyberattacks.
Fix Available
With the latest vulnerability, Microsoft is giving the hack a severity rating of 8.8/10. The company says threat actors have been able to bypass its security mitigations by exposing a flaw in Trident. However, this week the company is issuing a fix for the exploit as part of September 2021 Patch Tuesday. “September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately.” Tip of the day: Windows 10s Power Throttling can net up to 11% more battery savings per charge with little negative impact. In some scenarios you might consider turning Power Throttling off for single apps that you want run with maximum performance. Our tutorial shows you various methods to manage Power Throttling.