NAVANEM
CVE-2024-30040⚡ exploited in the wild

Windows MSHTML, COM platform security feature bypass (zero-day)

Windows MSHTML Platform Security Feature Bypass Vulnerability. An attacker would need to send a malicious file to the user, which they would then need to execute. An authenticated attacker who successfully exploited this vulnerability could bypass OLE mitigations in Microsoft 365 and Microsoft Office.

Overview

CVE-2024-30040 is a security feature bypass vulnerability in the Windows MSHTML platform that was exploited as a zero-day prior to its disclosure on May 14, 2024. The vulnerability allows attackers to bypass OLE (Object Linking and Embedding) mitigations in Microsoft 365 and Microsoft Office applications. These mitigations were designed to warn or block users when documents attempt to bind to potentially dangerous COM/OLE objects. By circumventing these protections, attackers can achieve initial code execution through specially crafted documents without triggering the expected security prompts.

Technical Details

The vulnerability resides in how the Windows MSHTML platform handles OLE/COM object binding. When a user opens a maliciously crafted document (typically a .docx file with embedded OLE objects), the document triggers OLE binding to attacker-controlled content such as HTA files, scripts, or other payloads. Critically, this binding occurs without displaying the COM safety prompts that would normally alert users to potentially dangerous activity.

The attack requires user interaction, specifically, the victim must open the malicious file delivered by the attacker. Once opened, code execution occurs under the user's security context. This bypass effectively undermines the defense-in-depth strategy Microsoft implemented after locking down macro-based attacks, as OLE mitigations served as a secondary protection layer.

Impact

Successful exploitation grants attackers initial access to victim systems with the privileges of the logged-in user. Microsoft confirmed active exploitation at the time of disclosure. Following public disclosure, multiple threat actors integrated this bypass into their delivery chains, including affiliates associated with DarkGate and Pikabot loader campaigns. The vulnerability is particularly dangerous because it circumvents user-training defenses, while users have been conditioned to refuse macro-enabled content, OLE payloads exploiting this vulnerability execute silently without prompts.

Mitigation

  1. Apply the May 2024 cumulative update on all Windows hosts immediately
  2. Ensure Microsoft 365 Apps for enterprise are on supported update channels (Current or Monthly Enterprise) as older channels may have delayed security fixes
  3. Enable Microsoft Defender's Attack Surface Reduction (ASR) rule "Block all Office applications from creating child processes" (Rule GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A) for broad mitigation against this attack class

Detection

Organizations should hunt through email gateway logs covering the January-May 2024 timeframe for .docx attachments containing embedded OLE objects from external senders. Monitor for Office applications spawning unexpected child processes, which may indicate exploitation attempts.