[German]A few days ago, Microsoft disclosed a security advisory for the CVE-2021-40444 vulnerability in the MSHTML component included in Windows. It said there was an attempt to exploit the vulnerability in the wild via crafted Office documents. But Office users are actually protected from this threat by the protected view, they said. Now it is becoming known that this protection can be bypassed and does not work.
Advertising
In this security advisory , Microsoft warns of targeted attacks via specially crafted Microsoft Office documents that have been observed in the wild (see this tweet). The attacks attempt to exploit the RCE vulnerability CVE-2021-40444 in the Windows MSHTML component. Successful attackers can then execute remote code. I had reported on this in the blog post Attack via Office Documents on Microsoft MSHTML (ActiveX) RCE Vulnerability (CVE-2021-40444). Microsoft writes in its security advisory that Office documents would be opened in protected mode by default – the attack then goes nowhere.
Protected view bypassed
Security researcher Will Dormann has taken the vulnerability and tested it with RTF files. He documented the whole thing in the following tweet with a video and follow-up tweets.
Bleeping Computer had asked Will Dormann, vulnerability analyst at CERT/CC, how the Protected View feature mitigates the vulnerability. Dormann pointed out that in the past, users routinely bypassed such protections and disabled protection via the "Enable Editing" button.
In addition, the MoTW flag, which identifies files downloaded from the Internet and causes the protected view, can be tricked. If the document is in a container that is processed by a program that is not MoTW-capable, the protection is no longer effective. For example, if the user opens a 7-Zip archive that originates from the Internet, this information about the MotW flag is lost. The protected view is no longer used by Office when loading. There are other cases (like ISO files) where the protection mechanism fails.
Advertising
In addition, Dormann discovered that the protected view does not work with RTF files and classifies the attack possibilities more dangerous than macros. This is because code can be executed by simply opening an Office document file.
Microsoft has proposed measures such as blocking new ActiveX controls from being installed and executed in Internet Explorer. However, security researcher Kevin Beaumont has already discovered a way to bypass this current Microsoft protection measure and exploit this vulnerability.
Addendum: In the meantime, Microsoft has supplemented the text of its security advisory for CVE-2021-40444. There are instructions to deregister the file type associations for Word files so that Explorer Preview and RTF file type can no longer be opened via double-click.
The vulnerability has been actively exploited for several days, as Beaumont shares here. Details can be found in the tweets as well as at Bleeping Computer.
