Attack via Office Documents on Microsoft MSHTML (ActiveX) RCE Vulnerability (CVE-2021-40444)

Sicherheit (Pexels, allgemeine Nutzung)[German]Microsoft has issued a warning about the remote code execution vulnerability CVE-2021-40444 as of September 7, 2021. In campaigns, this vulnerability, which targets the MSHTML component of Internet Explorer, is exploited via compromised Office documents. Microsoft provides guidance on mitigating this vulnerability, which stems from the ActiveX technology introduced with Internet Explorer.


Advertising

The issue came to my attention overnight via several sources. Once Microsoft sent a security advisory by mail.

******************************************************************
Title: Microsoft Security Update Revisions
Issued: September 7, 2021
******************************************************************

Summary
=======

The following CVE has been published to the Security Update Guide.

==================================================================


Advertising

CVE-2021-40444 | Microsoft MSHTML Remote Code Execution Vulnerability
– Version: 1.0
– Reason for Revision: Information published.
– Originally posted: September 7, 2021
– Updated: N/A
– Aggregate CVE Severity Rating: Important

In addition, I was made aware of this issue via various tweets by security researcher Kevin Beaumont. He classifies the whole thing as a 0-day vulnerability (there is no patch), even though Microsoft does not use this term. 

RCE vulnerability (CVE-2021-40444)

In this security advisory, Microsoft warns of targeted attacks via specially crafted Microsoft Office documents that have been observed in the wild (see this tweet). The attacks attempt to exploit the RCE vulnerability CVE-2021-40444 in the Windows component MSHTML. 

Prepared Office document enables ActiveX

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document to access the browser rendering engine HSHTML. When users open the infected Office document, the ActiveX control is downloaded from the attacker's website and installed. Code can then be executed remotely via MSHTML and the CVE-2021-40444 vulnerability. If users work under standard accounts with reduced user privileges, the impact is less than with administrative user accounts.

Security solutions detect attacks

Microsoft writes that both Defender Antivirus and Microsoft Defender for Endpoint provide detection and protection against exploitation of this known vulnerability. Customers should keep their anti-malware products up to date (should be updated automatically via update, probably requires definition update version 1.349.222.0 – there may have been a typo in the Microsoft statement). Microsoft Defender for Endpoint will then display "Suspicious Cpl file execution" warnings when attacks occur.

The EDR acronym used in above tweets stands for Endpoint Detection and Response, which is supported in Microsoft Defender for Endpoint and Microsoft 365 Defender.

Kevin Beaumont points out that EDR blocking mode is not enabled by default, so administrators need to take action. 

Workaround: Disable ActiveX installation

There are two hints from Microsoft about this attack scenario. Once, the manufacturer writes that Microsoft Office opens documents from the Internet in protected view or in the Application Guard for Office by default. Both variants prevent the current attack, as no active content is executed there.

Furthermore, administrators can disable the installation of all ActiveX controls in Internet Explorer so that the attack no longer works. Existing ActiveX controls, on the other hand, can still be used. According to Microsoft, to disable the installation of ActiveX controls in all zones of Internet Explorer, import a .reg file with the following content.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003

The instructions can be saved in an editor in a .reg file and then imported under a user account with administrator privileges by double-clicking. The system must then be restarted. The import of the .reg file sets the flags

URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001)
URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004)

for all internet zones of 64-bit and 32-bit processes to DISABLED. New ActiveX controls are then no longer installed. Previously installed ActiveX controls can still be run.

Administrators in enterprise environments should use Group Policy to prevent the installation of unsigned ActiveX controls. A user has listed the relevant GPOs in this comment on German news site heise.

Microsoft is currently investigating the attack vector and the vulnerability and plans to provide further information and possibly a patch. To undo the registry changes at a later time, simply delete the above registry keys added by the .reg file as part of the workaround in Windows and reboot the machine.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in browser, Office, Security, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *