近日，国家信息安全漏洞库（CNNVD）收到关于Microsoft MSHTML.DLL 代码注入漏洞（CNNVD-202109-350、CVE-2021-40444）情况的报送。成功利用漏洞的攻击者能够在目标系统执行恶意代码，最终控制目标系统。微软多个操作系统均受此漏洞影响。目前，微软官方暂未发布漏洞修复补丁，但发布了临时缓解措施缓解漏洞带来的危害，请用户及时确认是否受到漏洞影响，尽快采取修补措施。

一、漏洞介绍

Microsoft MSHTML.DLL是美国微软（Microsoft）公司的一个用于解析HTML语言的动态链接库，IE、Outlook、Outlook Express等应用程序都使用了该动态链接库。远程攻击者可以创建带有恶意ActiveX控件的特制Office文档，诱使受害者打开文档并在系统上执行任意代码。

二、危害影响

成功利用漏洞的攻击者能够在目标系统执行恶意代码，最终控制目标系统。微软Windows 7、Windows 8、Windows 10、Windows Server 2008、Windows Server 2012、Windows Server 2016、Windows Server 2019等42个操作系统版本均受此漏洞影响。具体如下：

Windows 7 for x64-based Systems Service Pack 1

Windows 7 for 32-bit Systems Service Pack 1

Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows RT 8.1

Windows 8.1 for x64-based systems

Windows 8.1 for 32-bit systems

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows 10 Version 1607 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 for 32-bit Systems

Windows Server, version 20H2 (Server Core Installation)

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for x64-based Systems

Windows Server, version 2004 (Server Core installation)

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows Server 2022 (Server Core installation)

Windows Server 2022

Windows 10 Version 21H1 for 32-bit Systems

Windows 10 Version 21H1 for ARM64-based Systems

Windows 10 Version 21H1 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

三、修复建议

目前，微软官方暂未发布漏洞修复补丁，但发布了临时缓解措施缓解漏洞带来的危害，请用户及时确认是否受到漏洞影响，尽快采取修补措施。官方链接如下：

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

本通报由CNNVD技术支撑单位——网神信息技术（北京）股份有限公司、深信服科技股份有限公司、杭州安恒信息技术股份有限公司、北京天融信网络安全技术有限公司、北京鸿腾智能科技有限公司、内蒙古洞明科技有限公司、铱迅安全应急响应中心、新华三技术有限公司提供支持。

CNNVD将继续跟踪上述漏洞的相关情况，及时发布相关信息。如有需要，可与CNNVD联系。联系方式: [email protected]