Microsoft Provides Temporary Fix for Office 365 Zero-Day
September 7th, Microsoft released a security advisory for a remote code execution vulnerability (CVE-2021-40444) in Microsoft MSHTML, the rendering engine that Office apps use in Windows to display web content. Microsoft says that it is investigating reports of targeted attacks that try to exploit the MSHTML flaw using specially designed Microsoft Office files. The announcement says:
An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The document notes that customers with Microsoft Defender Antivirus or Microsoft Defender for Endpoint are protected. Both security solutions detect and protect against the vulnerability. And if these products are configured to automatically update, then customers shouldn’t need to take any further action. Organizations that manage updates manually should make sure that detection build 1.349.22.0 or later is installed and deployed across the environment. And if Microsoft Defender for Endpoint detects an attack that attempts to utilize the flaw, an alert will be shown: “Suspicious Cpl File Execution”.
It’s also worth noting that Application Guard and Protected View both prevent this attack for documents that are opened from the Internet.
CVE-2021-40444 MSHTML workaround
Microsoft is working on a fix. But we don’t know at this stage if it will be ready for this month’s Patch Tuesday. Most likely, we’ll have to wait until October, depending on how critical Microsoft decides the problem is. But until a fix is available, organizations can further protect themselves by disabling the installation of ActiveX controls in Internet Explorer.
Microsoft has published a series of registry keys that can be configured to disable ActiveX:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1001"=dword:00000003 "1004"=dword:00000003
Copy and paste the text above into a text file. Notepad is ideal for this task. And then save the file with a .reg extension. Then all you need to do is double click the file to apply the registry changes to your system and then reboot the device. Make sure you test your .reg file properly before deploying the fix widely. Microsoft says the impact of the workaround is as follows:
This sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) for all internet zones for 64-bit and 32-bit processes. New ActiveX controls will not be installed. Previously-installed ActiveX controls will continue to run.
To remove the workaround, you’ll need to delete the registry keys that were added using the .reg file.
More in Windows Client OS
How to Enable Windows 11 Config Lock on Secured-Core PCs
Dec 2, 2022 | Dean Ellerby
How to Install Google Drive for Desktop (Install & Set Up)
Nov 23, 2022 | Rabia Noureen
How to Use LAPS to Manage Local Admin Account Passwords in Active Directory and Azure AD
Nov 14, 2022 | Michael Reinders
Microsoft's November Patch Tuesday Updates Fix 69 Windows Flaws
Nov 9, 2022 | Laurent Giret
What Are the Different Windows Logon Types?
Oct 31, 2022 | Michael Reinders
October 2022 Patch Tuesday Updates Fix 85 Windows Vulnerabilities
Oct 12, 2022 | Laurent Giret
Most popular on petri