Heimdal
article featured image

Contents:

The fix that mitigates the remote code execution vulnerability can be found in MSHTML, the browser rendering engine that is also used by Microsoft Office documents.

The vulnerability was identified as CVE-2021-40444, and is affecting all Windows Servers from 2008 through 2019 and Windows 8.1 through 10 having a severity level of 8.8.

Microsoft published an advisory that discloses its awareness of the targeted attacks that are trying to exploit the vulnerability by sending specially-crafted Microsoft Office documents to potential victims.

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document.

Source

It is interesting to note that the attack can be thwarted if Microsoft Office is running with the default configuration. In this configuration, the documents downloaded from the web are opened in Protected View mode or Application Guard for Office 365.

Protected View works as a read-only mode having most editing functions disabled, and Application Guard works by isolating any untrusted documents and denying them access to corporate resources, the intranet, or other files on the system.

Multiple researchers were credited for discovering the vulnerability: Haifei Li of EXPMON, Dhanesh Kizhakkinan, Bryce Abdo, and Genwei Jiang – all three of Mandiant, and Rick Cole from Microsoft Security Intelligence.

EXPMON declared to have found the vulnerability soon after detecting a “highly sophisticated zero-day attack” aimed at Microsoft Office users.

The researchers from EXPON reproduced the attack on the latest Office 2019 / Office 365 on Windows 10, and declared for BleepingComputer that the attackers used a .DOCX file.

The vulnerability was launched by opening the document. The .DOCX file document loaded the Internet Explorer engine to render a remote web page from the attacker, in this way allowing malware to be downloaded by using a specific ActiveX control in the web page.

What Can Be Done to Avoid CVE-2021-40444 Zero-day Attacks?

Microsoft has provided a workaround as there is no patch available yet.

Users could disable the installation of all ActiveX controls in Internet Explorer.

To disable ActiveX controls, please follow these steps:

1. Open Notepad and paste the text quoted below into a text file. Then save the file as disable-activex.reg. Make sure you have the displaying of file extensions enabled to properly create the Registry file.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Windows\CurrentVersion\ Settings\Zones\3]

“1001”=dword Internet:00000003

“1004”=dword:00000003

2. Find the newly created disable-activex.reg and double-click on it. When a UAC prompt is displayed, click on the Yes button to import the Registry entries.

3. Reboot your computer to apply the new configuration.

Once you reboot your computer, ActiveX controls will be disabled in Internet Explorer.

When Microsoft provides an official security update for this vulnerability, you can remove this temporary Registry fix by manually deleting the created Registry keys.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE