[German]Will Microsoft deliver a security update to close the vulnerability CVE-2021-40444 in the Windows MSHTML library today, September 14, 2021? And most importantly: If a patch is coming, will it close the vulnerability, or is it just a placebo? Since exploits are circulating in underground forums, I would like to summarize the current state of affairs again in a blog post.
Advertising
MSHTML vulnerability CVE-2021-40444
MSHTML (Trident) is the HTML rendering engine of Internet Explorer included in all previous versions of Windows. However, this MSHTML library included in Windows has a vulnerability CVE-2021-40444 that allows remote code execution (RCE), including via manipulated Office documents. It was known that attackers used manipulated Office documents to attack the vulnerability in the HTML rendering engine via ActiveX components downloaded and reinstalled from attacker websites.
Microsoft had admittedly issued a warning about the remote code execution vulnerability CVE-2021-40444 as of September 7, 2021. In the document in question, instructions were given on how to prevent the installation of new ActiveX elements via Internet Explorer. In addition, Microsoft argued that in Office, the Protected View feature mitigated the vulnerability. I had pointed out the facts in the blog post Attack via Office Documents on Microsoft MSHTML (ActiveX) RCE Vulnerability (CVE-2021-40444).
However, Microsoft's statements turned out to be "not sufficient and partly false". It soon was discovered that the vulnerability was much more critical than thought. It doesn't take ActiveX components to exploit the vulnerability. I had pointed out in the blog post MSHTML vulnerability CVE-2021-40444 more critical than known that security researcher Will Dormann had taken on the vulnerability and tested it once with RTF files. The Microsoft protection mechanisms, which are supposed to open Office documents downloaded from the Internet in the protected view, can be easily bypassed.
In the meantime, security researchers have also managed to call .CPL files and thus exploit the vulnerability. The whole thing has been escalating for a week now because construction kits for creating manipulated Word files are now available on the Internet. Exploits for exploiting the MSHTML vulnerability CVE-2021-40444 are also being passed around in hacker forums. The colleagues at Bleeping Computer have just warned about this development in this article.
Advertising
The days I stumbled across the above tweet. There someone used the available exploit packages for his own experiments and showed how he could exploit the vulnerability via a CAB file. Also in this tweet, someone demonstrates how to exploit the vulnerability with a little JavaScript code. I therefore assume that we can expect a major wave of attacks soon.
Microsoft fell short
It can be seen in retrospect that Microsoft clearly jumped too short regarding its proposals to mitigate the vulnerability. If the protected view can be bypassed, and the disabling of the possibility to install new ActiveX documents suggested by Microsoft is not sufficient, then the user is left out in the cold. Microsoft's postponed instruction to disable the linking of the preview of certain document files by deleting registry entries simply sounds helpless. They don't have it under control, that's my impression.
When I read through Microsoft's previous, but largely ineffectual proposals for mitigating the vulnerability, I'm not sure if the whole thing can be closed via a security update (the never-ending story about PrintNightmare lingers in the back of my mind).
What currently partly protects are antivirus solutions that may detect and block an attack based on the files used. But there are likely to be cases soon where unknown exploits trick the virus scanners. It comes down to the users who refrain from opening Office files that also originate from the Internet. Kind of unsatisfactory.
Problem known for years
Already in the German blog post Angriff über Office-Dokumente auf Microsoft MSHTML (ActiveX) RCE-Schwachstelle (CVE-2021-40444) German security researcher Stefan Kanthak pointed out in this comment that to mitigate Microsoft's vulnerability, blocking the installation of ActiveX elements via registry entry is rather not really effective. He referred to the possibility described in KB4058123 to set the Office COM kill bit in the registry. The Office COM kill bit was introduced with security update MS10-036 to prevent certain COM objects from running when embedded in or linked to Office documents.
The COM kill bit functionality was updated in KB3178703 to completely prevent Office from activating COM objects. This update is an extension of the original behavior, whereby in addition to blocking COM objects that are embedded or linked in Office documents, all instances of COM objects that are loaded within the Office process through other means such as add-ins are blocked. These specific COM objects include ActiveX controls and OLE objects. You can use the registry to independently control which COM objects are blocked.
With this approach, users could secure their systems. Microsoft even published a Kill Bit FAQ on this topic in 2008, which Stefan Kanthak linked to in his comment. However, I don't find anything about this in Microsoft's warning about the remote code execution vulnerability CVE-2021-40444.
If you want to harden your systems a bit better in this respect, you should have a look at the registry file IE_safer.reg, published by Stefan Kanthak from 2004 and updated again and again. Otherwise, it remains to be seen what will be presented to us in the coming hours from the Microsoft universe in this regard. In the long run, IT managers should rather think about whether they want to continue to rely on this patchwork, which is rather broken in terms of security.
Similar articles
Attack via Office Documents on Microsoft MSHTML (ActiveX) RCE Vulnerability (CVE-2021-40444)
MSHTML vulnerability CVE-2021-40444 more critical than known
