September 7th, Microsoft released a security advisory for a remote code execution vulnerability (CVE-2021-40444) in Microsoft MSHTML, the rendering engine that Office apps use in Windows to display web content. Microsoft says that it is investigating reports of targeted attacks that try to exploit the MSHTML flaw using specially designed Microsoft Office files. The announcement says:
An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The document notes that customers with Microsoft Defender Antivirus or Microsoft Defender for Endpoint are protected. Both security solutions detect and protect against the vulnerability. And if these products are configured to automatically update, then customers shouldn’t need to take any further action. Organizations that manage updates manually should make sure that detection build 1.349.22.0 or later is installed and deployed across the environment. And if Microsoft Defender for Endpoint detects an attack that attempts to utilize the flaw, an alert will be shown: “Suspicious Cpl File Execution”.
It’s also worth noting that Application Guard and Protected View both prevent this attack for documents that are opened from the Internet.
Microsoft is working on a fix. But we don’t know at this stage if it will be ready for this month’s Patch Tuesday. Most likely, we’ll have to wait until October, depending on how critical Microsoft decides the problem is. But until a fix is available, organizations can further protect themselves by disabling the installation of ActiveX controls in Internet Explorer.
Microsoft has published a series of registry keys that can be configured to disable ActiveX:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1001"=dword:00000003 "1004"=dword:00000003
Copy and paste the text above into a text file. Notepad is ideal for this task. And then save the file with a .reg extension. Then all you need to do is double click the file to apply the registry changes to your system and then reboot the device. Make sure you test your .reg file properly before deploying the fix widely. Microsoft says the impact of the workaround is as follows:
This sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) for all internet zones for 64-bit and 32-bit processes. New ActiveX controls will not be installed. Previously-installed ActiveX controls will continue to run.
To remove the workaround, you’ll need to delete the registry keys that were added using the .reg file.