https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4462740#M6378 We have signature-based coverage since yesterday. Our team is working on adding more coverage through Behavioral Protection engine and Cloud IOCs.<BR /> Thu, 09 Sep 2021 19:48:06 GMT DaphneG 2021-09-09T19:48:06Z https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4462476#M6375 <P>In a new advisory (<A href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444" target="_blank" rel="noopener">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444</A>), Microsoft mentions (normal, their product) that Microsoft Defender...&nbsp;<SPAN>provide detection and protections for the known vulnerability. Also... alerts will be displayed as: “Suspicious Cpl File Execution”.</SPAN></P><P><SPAN>What is Cisco's behaviour in regards to this one?</SPAN></P><P>&nbsp;</P><P><SPAN>Tks.</SPAN></P> Thu, 09 Sep 2021 12:47:05 GMT https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4462476#M6375 00urb57x9u0O6CPE25d6 2021-09-09T12:47:05Z https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4462621#M6377 <P>Our Research and Efficacy team is currently investigating this vulnerability. We'll share the findings as soon as it's available.&nbsp;</P> Thu, 09 Sep 2021 16:23:09 GMT https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4462621#M6377 DaphneG 2021-09-09T16:23:09Z https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4462740#M6378 We have signature-based coverage since yesterday. Our team is working on adding more coverage through Behavioral Protection engine and Cloud IOCs.<BR /> Thu, 09 Sep 2021 19:48:06 GMT https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4462740#M6378 DaphneG 2021-09-09T19:48:06Z https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4462755#M6379 I meant to include earlier that for those interested Cisco Talos also released new SNORT rules for this CVE: <A href="https://blog.talosintelligence.com/2021/09/talos-release-protection-against-zero.html#more" target="_blank">https://blog.talosintelligence.com/2021/09/talos-release-protection-against-zero.html#more</A><BR /> Thu, 09 Sep 2021 20:10:06 GMT https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4462755#M6379 DaphneG 2021-09-09T20:10:06Z https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4462903#M6380 <P>Talos mentions deploying "<SPAN>ClamAV signature&nbsp;Doc.Exploit.CVE_2012_40444-9891528-0" is this something we as AMP administrators need to do or is this already done for us?&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Otherwise, it would be great if Cisco would provide some Custom Detections - Advanced Signature sets we could use in the meantime.</SPAN></P><P><SPAN>&nbsp;</SPAN></P> Fri, 10 Sep 2021 03:25:19 GMT https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4462903#M6380 ITGuyCSI25 2021-09-10T03:25:19Z https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4462905#M6381 This article mentions some IOCs:<BR /><A href="https://www.bleepingcomputer.com/news/microsoft/windows-mshtml-zero-day-defenses-bypassed-as-new-info-emerges/" target="_blank">https://www.bleepingcomputer.com/news/microsoft/windows-mshtml-zero-day-defenses-bypassed-as-new-info-emerges/</A><BR /> Fri, 10 Sep 2021 03:47:06 GMT https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4462905#M6381 Ken Stieers 2021-09-10T03:47:06Z https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4463687#M6382 <P>Is there anything to be done on Cisco AMP side?&nbsp; Does this vulnerability covered under Tetra signatures of Cisco AMP?</P> Fri, 10 Sep 2021 23:04:44 GMT https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4463687#M6382 mnarayandas 2021-09-10T23:04:44Z https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4465164#M6387 <P>Also would like information regarding what needs to be done on the Cisco AMP side&nbsp;</P> Mon, 13 Sep 2021 15:24:49 GMT https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4465164#M6387 reubooke 2021-09-13T15:24:49Z https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4465257#M6388 <P>Sorry for the delay in the response. AMP has released the following Cloud IOCs and Behavioral Protection (BP) signature since Thursday afternoon:</P> <P>&nbsp;</P> <PRE>W32.WinwordLaunchedControl.ioc (Cloud IOC) W32.SuspiciousControl_RunDLLExecution.ioc (Cloud IOC) Suspicious Control Process Pattern (BP signature)</PRE> <P>&nbsp;</P> <P>The details of each can be found in the Indicators page:&nbsp;<A href="https://console.amp.cisco.com/indicators" target="_blank">https://console.amp.cisco.com/indicators</A></P> <P>&nbsp;</P> <P>You might want to monitor and investigate the endpoints that triggered these events.&nbsp;</P> Mon, 13 Sep 2021 17:44:51 GMT https://community.cisco.com/t5/endpoint-security/microsoft-mshtml-rce-cve-2021-40444-how-cisco-replies/m-p/4465257#M6388 DaphneG 2021-09-13T17:44:51Z