September 8, 2021

Microsoft MSHTML CVE-2021-40444 Zero-Day: What We Know So Far


## What Happened

Microsoft, Mandiant and EXPMON researchers discovered a set of flaws in MSHTML (Internet Explorer’s browser engine) that remote, unauthenticated attackers can use to execute code on a system.

Threat actors are exploiting this zero-day vulnerability in the wild by creating weaponized Office documents to hijack vulnerable Windows systems. Threat actors can use a malicious ActiveX control for an Office document that hosts the browser rendering engine. The attacker would need to persuade a user to open the malicious file, according to Microsoft.

## How Bad is This?

The CVE has a severity rating of 8.8 out of 10 and affects Windows Server 2008 through 2019 and Windows 8.1 through 10. [EXPON confirmed via Twitter](https://twitter.com/EXPMON_/status/1435310341689331721?ref_src=twsrc%5Etfw) that they reproduced the attack using Office 2019/Office 365 on Windows 10.

The good news: the default setting for Microsoft Office opens documents from the internet using Protected View or Application Guard for Office, which prevents the attacks.

To determine the severity of this vulnerability, it’s important to consider the context. Word is currently one of the most common tools used for initial access. For example, CVE 2017-11882 accounted for nearly three-quarters of all exploits leveraged in Q4 2020, according to [a report from HP Bromium](https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf).

CVE-2021-40444 will give adversaries yet another way to access Word — which is by no means lacking in existing methods to attack — and will likely have a long tail in terms of exploitation. It still requires people to bypass the “internet protection” step, but does not require the same additional step as macros.

## What Should I Do?

Microsoft recommends disabling the installation of ActiveX controls in Internet Explorer by updating the registry.

Microsoft provides the following instructions [in its advisory documentation](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444):

To disable installing ActiveX controls in Internet Explorer in all zones, paste the following into a text file and save it with the .reg file extension:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
“1001”=dword:00000003
“1004”=dword:00000003

Double-click the .reg file to apply it to your Policy hive.
Reboot the system to ensure the new configuration is applied.

This may seem like an easy mitigation, but some organizations have applications that use ActiveX and will be unable to use this workaround. In those cases, admins should reinforce training on [Protected View](https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653) with End Users to ensure that emailed and downloaded documents do not leave Protected View until patches can be applied. The exploits cannot be triggered until a document moves into “Edit” mode away from Protected View. If you previously disabled Protected View, you should enable it immediately if you cannot disable ActiveX.

## How To Detect

Blumira is actively developing detection opportunities in our lab environment. Early reports indicate that possible EDR detection of execution may include control.exe with command arguments including cpl:../../../…

Organizations running both Microsoft Defender Antivirus and [Microsoft Defender for Endpoint](https://www.blumira.com/integration/microsoft-defender-for-endpoint/) will be able to detect the exploit without taking additional action, according to Microsoft.

However, it is important to note that organizations running just Microsoft Defender for Endpoint (not AV) [are not protected by default](https://twitter.com/GossiTheDog/status/1435358973750874118). In that case, you must set EDR to block mode.

*Note: This was* [*originally posted on Blumira’s blog*](https://www.blumira.com/cve-2021-40444/)*. We will update our blog post, as well as this post, as the situation develops.*

Comments

KStieers

This can be done via GPO, those settings are the ones to disable ActiveX downloads…

(go digging in inetres.admx)

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.