Microsoft Releases Mitigations and Workarounds for Office Zero-Day RCE Flaw

  • Microsoft has released an urgent security advisory about a nasty Office zero-day RCE vulnerability.
  • Right now, the only way to deal with the attacks is through mitigations and caution, but a fix should be out soon.
  • The vulnerable component is used by a galore of software products, so the exploitation is likely to go beyond just the Office.

Microsoft has released some details about CVE-2021-40444, a zero-day remote code execution vulnerability in Trident, which is a proprietary browser engine used by Internet Explorer, Microsoft Office, Skype, the Windows Media Player, Valve’s Steam client, and many more products. The high-severity (CVSS: 8.8) flaw is being under active exploitation in the wild, targeting Office 365 users with maliciously crafted Office documents. All that is needed for the attack to work is to convince the user to open the document.

Right now, there’s no fixing update out, as Microsoft is still investigating and working on a fix. The Defender AV and Defender for Endpoint products have been updated to identify the exploitation efforts and serve alerts to the users who receive the malicious documents, so this is one way to deal with the threat. Another one would be to disable the installation of all ActiveX controls in Internet Explorer. To do that, paste the following into a text file and save it with the “.reg” file extension:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003 

Then double-click on the newly created reg file to apply it to your Policy hive, and finally perform a system reboot for the configuration change to apply. This will prevent all new ActiveX controls from installation, so the malicious documents won’t harm the system if opened. Old ActiveX controls will continue to run, but these don’t affect the flaw, nor can they be leveraged for an attack.

BreachQuest’s co-founder, Jake Williams, told TechNadu:

MSHTML is a component used by myriad applications on Windows. If you've ever opened an application that seemingly "magically" knows your proxy settings, that's likely because it uses MSHTML under the hood. While there are currently few details available about the vulnerability, the impact is likely to extend beyond MS Office. Vulnerabilities like these tend to have extremely long lifetimes for exploitation in the wild, highlighting the need for security monitoring and periodic threat hunting.

In general, when receiving Office files, treat them with the extra caution they deserve. Sophisticated actors are already distributing malicious Docx files in highly targeted attacks, so if you have received a document from an address you see for the first time, don’t open it. Once a fix is out, hopefully on the upcoming Patch Tuesday, users may delete the reg file and return to their normal configuration.

REVIEW OVERVIEW

Latest

Proton VPN Gets a Design Refresh & Better Integration With Other Proton Services

Proton VPN gets a new logo, color palette, and subtle changes to its UI.There’s a simpler pricing structure, letting you bundle Proton-branded...

How to Watch That Damn Michael Che Season 2 Online From Anywhere

Did you miss a theme or incident, such as police brutality, unemployment, and romance, and use sketches and vignettes to illustrate what...

How to Watch Look At Me: XXXTENTACION Online From Anywhere – Stream the Jahseh Onfroy Documentary

Look At Me: XXXTENTACION is an upcoming documentary detailing the late artist's monumental come-up and tragic death. We have all the information...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari