Skip to content
feed: live about
>_ 0dayNews
microsoft
Explainer

The MSHTML Zero-Day That Turned a Word Document Into Full Code Execution

CVE-2021-40444 let attackers execute arbitrary code through a malicious Office document with no macros required — exploited in the wild before Microsoft's patch existed.

The MSHTML Zero-Day That Turned a Word Document Into Full Code Execution
Photo: Abigor / Wikimedia Commons · CC BY-SA 3.0
0day News Desk · Published · 1 min read

For years, “don’t enable macros in an email attachment” was the single most repeated piece of security advice for Office document phishing. CVE-2021-40444 didn’t need macros at all.

What the vulnerability does

The flaw lives in MSHTML, the legacy Trident browser-rendering engine that Windows and certain Office components still rely on for specific document-rendering tasks. Microsoft disclosed the bug on September 7, 2021, confirming it was already being exploited in the wild as a zero-day. The attack technique: a malicious Word document referencing a remote HTML template that loaded a specially crafted ActiveX control, achieving remote code execution the moment the document was opened — no macro prompt, no additional user interaction beyond normal document handling in many default configurations.

Why it mattered

The macro-blocking defenses many organizations had spent years deploying — disabling macros from internet-sourced documents by default, training users to recognize the “Enable Content” prompt as a red flag — didn’t apply here, because the exploit chain never touched macros. That made it an attractive vector for phishing campaigns during the roughly two-week window between public disclosure and Microsoft’s full tested patch, a gap threat intelligence researchers observed being used by multiple actors to deliver commodity malware loaders.

Microsoft’s interim mitigation

Before the complete patch was ready, Microsoft published a stopgap: disabling ActiveX control installation in Internet Explorer via a registry change, since MSHTML’s vulnerable rendering path was shared infrastructure underneath Office’s own document handling. Security teams widely adopted the workaround as an emergency measure while waiting for the full fix.

What administrators should do

Apply Microsoft’s September 2021 cumulative security updates addressing CVE-2021-40444, and in environments where immediate patching isn’t possible, apply the documented registry-based interim mitigation. The vulnerability was added to CISA’s KEV catalog given confirmed active exploitation. Full technical detail is in Microsoft’s security advisory and the NVD entry.

This article describes the vulnerability’s impact and official mitigation guidance only — it does not include exploit code or step-by-step attack instructions.

Found this useful? Share it.