Session 1
Guests
Video Transcript
Hey man. Yeah, there must be, hold on. I think there's some smudge on my camera. I'll be here. I say there's like a filter on it. Is that better? Ah, much better. Yeah, that's got a fingerprint on it or something. Awesome. You look great. Alright, so we're already recording, but um, I'll count us down. 3, 2, 1. Basically what I'll say, right, you know, with Bryson Medlock from the, uh, uh, is it okay to say the purchase CRU these days? Uh, we, we call it the ConnectWise Cyber Research Unit.
Okay. ConnectWise. Okay. Cyber Research Unit. Got it. Um, and uh, let me just write down real quick here. CVE 2021 dash 4 0 4 4 4. Okay. Alright. Coming back to you here Bryson. All, I'll count us down. You ready to go brother? Sure. So it's, oh, so lemme just confirm. ConnectWise Cyber Research Unit? Yes. ConnectWise Cyber Research. Okay. Alright. 3, 2, 1. Hey everybody. Andrew Morgan here with Bryson Medlock of the ConnectWise Cyber Research Unit. Bryson, how are you? I'm doing great, Andrew.
How are you? I'm do, I'm doing well, Bryson, I just wanted to bring you on and get this out to as many MSPs and MSPs as possible. Um, you are doing some fantastic work, um, leading, uh, discussion in Ms. P Geek and, uh, a bunch of other areas on the Microsoft M-S-H-T-M-L exploit. This is CDE 2021 dash 4 0 4 4 4 and, uh, I'll put that in the post Bryson. Talk to us about what is going on here, why is this so, um, critical right now and what can people do? Okay. Um, sure.
So this is a remote code execution vulnerability in, uh, M-S-H-T-M-L, also known as Trident. Basically it's the Internet Explorer engine that renders HTML, uh, in, in Windows. So essentially any application, uh, definitely anything Microsoft's written, uh, that renders html is using this Ms. htm mshtml dl. Uh, but it's also a library that other applications could use. Um, you know, like Skype uses it, which I guess that's a Microsoft product now, but there's, there's other applications as well.
Anybody who's using like Visual Studio to write an application that renders html is using the same thing. Uh, so it's, it's definitely more than just vulnerable office documents. Uh, so the, the original advisory that came out from Microsoft earlier this week on, uh, Tuesday, I think, um, they gave some instructions on disabling ActiveX controls or disabling the installation of ActiveX controls, uh, in order to help protect against the, the exploit.
However, since then some researchers have found additional ways to exploit it. Uh, it doesn't have to be an office document. I think one of the, uh, most frightening examples that we've seen was someone using an uh, RTF file, uh, and just viewing it in preview mode in Windows Explorer, and that actually triggered the exploit as well. So the, an attacker can basically run whatever code they want.
Uh, and, and the reason why it's concerning is that this, this is a, an, this is a vulnerability that's actively being exploited and has been for about a month now, even though we've just now learned about it. Um, the, the current active campaign that we've seen and we've gotten some samples from, uh, it is in a Word document and it's, uh, installing Cobalt Strike, which is a, uh, um, adversary tool that they can use to basically just take control of your system and do whatever they want.
Uh, and, and now that additional research has been done and it has gotten some more press and more people know about it, we expect to see more exploits and more things going, coming soon. Wow. And what can people do, Bryson, is it just being vigilant on a road day right now? Like what, what recommendation would you have recommendation for MSP specifically and then what for what they should be telling their customers? Sure.
So there, there are some workarounds recommended by Microsoft, uh, specifically, like I mentioned, disabling the ActiveX controls, um, that will help with the campaign that we've witnessed, but it won't completely protect you from the actual exploit. Um, the, the best thing I can recommend it right now is being diligent. A lot of vendors are working on detection. Uh, there's a few things you can look for. We, we've added some stuff.
If, if you're a a ConnectWise customer and use perch, we, we, uh, if you install the CRU collection in the marketplace, we do have some signatures or we have one signature in there, uh, that, that should help detect, uh, if somebody actually, you know, runs one of these documents that, that are vulnerable. Um, otherwise I think the main thing is just let everybody know, uh, about what's going on. Have your users be extra diligent about what documents they open.
Uh, this isn't a, um, an exploit that someone can execute remotely without inter, without somebody interacting. So it's, it's gotta be someone's gotta send you a document and you've gotta do something to that, you know, whether it's opening it or again, even if it's just looked, looked at in preview mode, um, that, that will exploit as well. But still somebody has to do something.
So if you're just extra careful about what you documents you get, uh, you know, watch out for those phishing emails, um, I, I think you, you should be okay. But it, it's, it, it's still early on. Uh, we're, we're still figuring out what can be done with this exploit and we don't really have an ETA yet from Microsoft and Winni Patch will be available. Got it. Um, fantastic.
Bryson, I really appreciate you, um, giving, you know, your perspective and you know, the fact that I, I can, I can tell you've been working night and day on this in the forums, uh, helping the MSPs, uh, be diligent about what's happening. Thanks so much for joining us. I'll get this out there. Alright, thanks Andrew. Awesome bud. That was fantastic. Alright, Thanks. Um, alright my friend.
Um, yeah, I'll get this and then do you want me to, um, send it to you to post like for, so if you guys wanna use it also CanWise? Um, yeah, that'd be great. All right. I'll get it out to you guys shortly. All right, thanks. All right, thanks brother.
Related Videos

Right of Boom 2025 – Steve Rivera – Logically
Right of Boom 2025 – Steve Rivera – Logically

Right of Boom 2025 – Calvin Engen – F12.net
Why Vendors and MSPs Prioritize Right of Boom – Hear why Right of Boom attracts the most security-focused MSPs—and how it creates unique value for vendors and partners.

Right of Boom 2025 – Bill McLaughin – Thrive
Right of Boom continues to raise the bar as a cybersecurity conference built for MSPs. With attendance surging from a few hundred to over 1,300, the event delivers more than just technology—it’s a ...