Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Windows MSHTML Zero-day Exploits Shared on Hacking Forums

Windows MSHTML Zero-day Exploits Shared on Hacking Forums

Threat actors are sharing Windows MSHTML zero-day (CVE-2021-40444) tutorials and exploits on hacking forums, allowing other hackers to start exploiting the new vulnerability in their own attacks.

Last Tuesday, Microsoft disclosed a new zero-day vulnerability in Windows MSHTML that allows threat actors to create malicious documents, including Office and RTF docs, to execute commands on a victim’s computer remotely.

Even though there are no security updates available for the CVE-2021-40444 vulnerability, as it was discovered used in active attacks by EXPMON and Mandiant, Microsoft decided to disclose the vulnerability and provide mitigations to help prevent its exploitation.

These mitigations work by blocking ActiveX controls and Word/RTF document previews in Windows Explorer.

However, researchers have been able to modify the exploit not to use ActiveX, effectively bypassing Microsoft’s mitigations.

Guides and PoCs shared on hacking forums

When Microsoft first disclosed the Windows MSHTML zero-day, tracked as CVE-2021-40444, security researchers quickly found the malicious documents used in attacks.

While they soon reproduced the exploits, modified them for further capabilities, and discovered a new document preview vector, the researchers did not disclose details for fear other threat actors would abuse it.

Unfortunately, threat actors have been able to reproduce the exploit on their own from information, and malicious document samples posted online and have begun sharing detailed guides and information on hacking forums.

Forums post on a hacking forum
Forums posts with guides on reproducing the CVE-2021-40444 exploit
Forums posts with guides on reproducing the CVE-2021-40444 exploit

The information is simple to follow and allows anyone to create their own working version of the CVE-2021-40444 exploit, including a python server to distribute the malicious documents and CAB files.

Using this information, BleepingComputer could reproduce the exploit in about 15 minutes, as demonstrated in the video below.

Defending against the CVE-2021-40444 MSHTML vulnerability 

The good news is that since the vulnerability was disclosed, Microsoft Defender and other security programs can detect and block malicious documents and CAB files used in this attack.

For example, you can see below Microsoft Defender blocking the exploit as ‘Trojan:Win32/CplLoader.a’ and ‘TrojanDownloader:HTML/Donoff.SA’ detections.

Microsoft Defender blocking CVE-2021-40444 exploits
Microsoft Defender blocking CVE-2021-40444 exploits

Microsoft has also provided the following mitigations to block ActiveX controls in Internet Explorer, the default handler for the MSHTML protocol, and block document preview in Windows Explorer.

Disable ActiveX controls in Internet Explorer

To disable ActiveX controls, please follow these steps:

  1. Open Notepad and paste the following text into a text file. Then save the file as disable-activex.reg. Make sure you have the displaying of file extensions enabled to properly create the Registry file.

    Alternatively, you can download the registry file from here.Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1001"=dword:00000003 "1004"=dword:00000003
  2. Find the newly created disable-activex.reg and double-click on it. When a UAC prompt is displayed, click on the Yes button to import the Registry entries.
  3. Reboot your computer to apply the new configuration.

Once you reboot your computer, ActiveX controls will be disabled in Internet Explorer.

You can enable ActiveX controls again by deleting the above Registry keys or using this Registry file.

Disable document preview in Windows Explorer

Security researchers have also found that this vulnerability can be exploited by viewing a malicious document using the Windows Explorer preview feature.

CVE-2021-40444 is so bad— jq0904 (@jq0904) September 10, 2021

Since this was discovered, Microsoft has added the following mitigation to disable previewing of RTF and Word documents:

  1. In the Registry Editor (regedit.exe), navigate to the appropriate registry key:For Word documents, navigate to these keys:
    • HKEY_CLASSES_ROOT.docx\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
    • HKEY_CLASSES_ROOT.doc\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
    • HKEY_CLASSES_ROOT.docm\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
    For rich text files (RTF), navigate to this key:
    • HKEY_CLASSES_ROOT.rtf\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
  2. Export a copy of the Registry key as a backup.
  3. Now double-click Name and in the Edit String dialog box, delete the Value Data.
  4. Click OK,

Word document and RTF file previews are now disabled in Windows Explorer.

To enable Windows Explorer preview for these documents, double-click on the backup .reg file you created in step 2 above.

While these mitigations will help, as the exploit has been modified not to use ActiveX controls, users are still at risk until an official security update is released.

Until Microsoft releases a security update, everyone should treat all Word and RTF attachments suspiciously and their source manually verified before opening them.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us