CNNVD 關于Microsoft MSHTML.DLL 代碼注入漏洞的預警

  近日，國家信息安全漏洞庫（CNNVD）收到關于Microsoft MSHTML.DLL 代碼注入漏洞（CNNVD-202109-350、CVE-2021-40444）情況的報送。成功利用漏洞的攻擊者能夠在目標系統執行惡意代碼，最終控制目標系統。微軟多個操作系統均受此漏洞影響。目前，微軟官方暫未發布漏洞修復補丁，但發布了臨時緩解措施緩解漏洞帶來的危害，請用戶及時確認是否受到漏洞影響，盡快采取修補措施。

一、漏洞介紹

  MicrosoftMSHTML.DLL是美國微軟（Microsoft）公司的一個用于解析HTML語言的動態鏈接庫，IE、Outlook、Outlook Express等應用程序都使用了該動態鏈接庫。遠程攻擊者可以創建帶有惡意ActiveX控件的特制Office文檔，誘使受害者打開文檔并在系統上執行任意代碼。

二、危害影響

    成功利用漏洞的攻擊者能夠在目標系統執行惡意代碼，最終控制目標系統。微軟Windows 7、Windows 8、Windows 10、Windows Server 2008、WindowsServer 2012、Windows Server 2016、Windows Server 2019等42個操作系統版本均受此漏洞影響。具體如下：

Windows 7 for x64-based Systems Service Pack 1

Windows 7 for 32-bit Systems Service Pack 1

Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1(Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2 (ServerCore installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (ServerCore installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows RT 8.1

Windows 8.1 for x64-based systems

Windows 8.1 for 32-bit systems

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 for 32-bit Systems

Windows Server, version 20H2 (Server Core Installation)

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for x64-based Systems

Windows Server, version 2004 (Server Core installation)

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows Server 2022 (Server Core installation)

Windows Server 2022

Windows 10 Version 21H1 for 32-bit Systems

Windows 10 Version 21H1 for ARM64-based Systems

Windows 10 Version 21H1 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

 Windows 10 Version 1809 for 32-bit Systems

三、修復建議

目前，微軟官方暫未發布漏洞修復補丁，但發布了臨時緩解措施緩解漏洞帶來的危害，請用戶及時確認是否受到漏洞影響，盡快采取修補措施。官方鏈接如下：

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

本通報由CNNVD技術支撐單位——網神信息技術（北京）股份有限公司、 深信服科技股份有限公司、杭州安恒信息技術股份有限公司、北京天融信網絡安全技術有限公司、北京鴻騰智能科技有限公司、內蒙古洞明科技有限公司、銥迅安全應急響應中心、新華三技術有限公司提供支持。

CNNVD將繼續跟蹤上述漏洞的相關情況，及時發布相關信息。如有需要，可與CNNVD聯系。聯系方式: cnnvdvul@itsec.gov.cn