Microsoft has released the emergency advisory on new zeroday remote code execution vulnerability affecting Windows OS which has been taken advantage by the hackers by using specially crafted Microsoft Documents. The vulnerability which is tracked as CVE-2021-40444 with the CVSS score: 8.8 exploits the Microsoft’s own browser engine which renders the web site content inside the various office packages such as MS Word, MS Excel,etc.
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” reads the advisory published by Microsoft.
The Vulnerability which was identified by EXPMON and Mandiant researchers have diligently reported the flaw to Microsoft, and the vendor has confirmed the vulnerability and mentioned “This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.” in its advisory.
EXPMON took to twitter to post about this identified vulnerability and urged the customers to remain cautious.
💥💥⚡️⚡️— EXPMON (@EXPMON_) September 7, 2021
EXPMON system detected a highly sophisticated #ZERO-DAY ATTACK ITW targeting #Microsoft #Office users! At this moment, since there's no patch, we strongly recommend that Office users be extremely cautious about Office files – DO NOT OPEN if not fully trust the source!
Luckily, Microsoft has released the workaround for protecting the systems from this vulnerability.
Disabling the installation of all ActiveX controls in Internet Explorer mitigates this attack. This can be accomplished for all sites by updating the registry. Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To disable ActiveX controls on an individual system:
- To disable installing ActiveX controls in Internet Explorer in all zones, paste the following into a text file and save it with the .reg file extension:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1001"=dword:00000003 "1004"=dword:00000003
- Double-click the .reg file to apply it to your Policy hive.
- Reboot the system to ensure the new configuration is applied.
Impact of workaround.
This sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) for all internet zones for 64-bit and 32-bit processes. New ActiveX controls will not be installed. Previously-installed ActiveX controls will continue to run.
How to undo the workaround
Delete the registry keys that were added in implementing this workaround.