Zero-Day Vulnerability Targeting Windows Users With Microsoft Office Documents

Microsoft on Tuesday issued a security advisory identifying a remote code execution vulnerability in MSHTML that affects Microsoft Windows by using specially-crafted Microsoft Office documents.

Tracked as CVE-2021-40444 (CVSS score: 8.8), this remote code execution vulnerability is embedded in MSHTML (aka Trident), a proprietary browser engine for the Microsoft Windows version of Internet Explorer, and affects Windows Server 2008 through 2019 and Windows 8.1 through 10.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document,” the company said in the security advisory.

“Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

According to the company, both their Microsoft Defender Antivirus and Microsoft Defender for Endpoint provide detection and protection for the known vulnerability. It has advised its customers to keep their antimalware products up to date and those who utilize automatic updates need not take additional action.

Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.

Microsoft said that upon completion of the investigation, it will take the appropriate action to help protect its customers, which may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

The Redmond giant credited Rick Cole of the Microsoft Threat Intelligence Center (MSTIC), Dhanesh Kizhakkinan, Bryce Abdo and Genwei Jiang of Mandiant, and Haifei Li of EXPMON, for discovering the vulnerability.

Andrew Thompson, a threat analyst at Mandiant, noted that “robust detections focused on post-exploitation behavior are a safety net that enables you to detect intrusions involving zero day exploitation.”

EXPMON said in a tweet that they detected a “highly sophisticated zero-day attack” targeted at Microsoft Office users.

“We have reproduced the attack on the latest Office 2019/Office 365 on Windows 10 (typical user environment), for all affected versions please read the Microsoft Security Advisory. The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous),” the company tweeted.

Meanwhile, Microsoft has not disclosed information about the nature of the attacks, their targets, or the attacker(s) exploiting this zero-day vulnerability to the public.

With regards to mitigations and workarounds, Microsoft suggested disabling the installation of all ActiveX controls in Internet Explorer, which can be accomplished for all sites by updating the registry.

“Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability,” the advisory said.

“If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly.”

To disable ActiveX controls on an individual system:

1. To disable installing ActiveX controls in Internet Explorer in all zones, paste the following into a text file and save it with the .reg file extension:

2. Double-click the .reg file to apply it to your Policy hive.

3. Reboot the system to ensure the new configuration is applied.

This workaround sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) for all internet zones for 64-bit and 32-bit processes.

New ActiveX controls will not be installed and previously installed ActiveX controls will continue to run.