- Microsoft has released an urgent security advisory about a nasty Office zero-day RCE vulnerability.
- Right now, the only way to deal with the attacks is through mitigations and caution, but a fix should be out soon.
- The vulnerable component is used by a galore of software products, so the exploitation is likely to go beyond just the Office.
Microsoft has released some details about CVE-2021-40444, a zero-day remote code execution vulnerability in Trident, which is a proprietary browser engine used by Internet Explorer, Microsoft Office, Skype, the Windows Media Player, Valve’s Steam client, and many more products. The high-severity (CVSS: 8.8) flaw is being under active exploitation in the wild, targeting Office 365 users with maliciously crafted Office documents. All that is needed for the attack to work is to convince the user to open the document.
Right now, there’s no fixing update out, as Microsoft is still investigating and working on a fix. The Defender AV and Defender for Endpoint products have been updated to identify the exploitation efforts and serve alerts to the users who receive the malicious documents, so this is one way to deal with the threat. Another one would be to disable the installation of all ActiveX controls in Internet Explorer. To do that, paste the following into a text file and save it with the “.reg” file extension:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1001"=dword:00000003 "1004"=dword:00000003
Then double-click on the newly created reg file to apply it to your Policy hive, and finally perform a system reboot for the configuration change to apply. This will prevent all new ActiveX controls from installation, so the malicious documents won’t harm the system if opened. Old ActiveX controls will continue to run, but these don’t affect the flaw, nor can they be leveraged for an attack.
BreachQuest’s co-founder, Jake Williams, told TechNadu:
MSHTML is a component used by myriad applications on Windows. If you've ever opened an application that seemingly "magically" knows your proxy settings, that's likely because it uses MSHTML under the hood. While there are currently few details available about the vulnerability, the impact is likely to extend beyond MS Office. Vulnerabilities like these tend to have extremely long lifetimes for exploitation in the wild, highlighting the need for security monitoring and periodic threat hunting.
In general, when receiving Office files, treat them with the extra caution they deserve. Sophisticated actors are already distributing malicious Docx files in highly targeted attacks, so if you have received a document from an address you see for the first time, don’t open it. Once a fix is out, hopefully on the upcoming Patch Tuesday, users may delete the reg file and return to their normal configuration.