Microsoft Shares Ordinary Fix for Current Office 365 zero-day Attacks

Recently, Microsoft shared mitigation for remote code execution vulnerability in Windows that is being exploited in targeted attacks against Office 365 and Office 2019 on Windows 10. The bug is in MSHTML, the browser translation engine that is also utilized by Microsoft Office documents.

Current Growing Attacks against Office 365

It was discovered as CVE-2021-40444, the security concern affects the Windows Server 2008 through 2019 and Windows 8.1 through 10 and has a harshness level of 8.8 out of the maximum 10. Microsoft is also aware of targeted attacks that try to exploit the vulnerability by transmitting the specially-designed Microsoft Office documents to probable victims, the company also starts an advisory recently.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document” – Microsoft

However, the attack is circumventing if Microsoft Office executes with the default configuration, where documents from the web are launched in Protected View mode or Application Guard for Office 365.

Protected View is a read-only mode that has most of the editing functions disabled, while Application Guard isolates unauthenticated documents, contradicting them to access the corporate resources, the intranet, or other files on the system. Systems with active Microsoft’s Defender Antivirus and Defender for Endpoint (build 1.349.22.0 and above) benefit from protection against attempts to exploit CVE-2021-40444.

Microsoft’s enterprise security platform will display alerts about this attack as “Suspicious Cpl File Execution.” Researchers from multiple cybersecurity companies are considered for searching and reporting the vulnerability: Haifei Li of EXPMON, Dhanesh Kizhakkinan, Bryce Abdo, and Genwei Jiang – all three of Mandiant, and Rick Cole of Microsoft Security Intelligence.

In a tweet today, EXPMON an exploit monitor states that they discover the vulnerability after analyzing a “highly sophisticated zero-day attack” proposed at Microsoft Office users. EXPMON investigators copied the attack on the latest Office 2019 / Office 365 on Windows 10.

Microsoft-Shares-Ordinary-Fix-for-Current-Office-365-zero-day-Attacks-image1

In their revert, Haifei Li of EXPMON said that the attackers used a. DOCX file. Upon launching it, the document loaded the Internet Explorer engine to provide a remote web page from the threat actor.

The trojan is then downloaded by utilizing a specific ActiveX control in the web page. Running the threat is done utilizing “a trick called ‘Cpl File Execution’,” referenced in Microsoft’s advisory. The investigator told us that the attack method is fully reliable, which makes it very dangerous. He reported the vulnerability to Microsoft early Sunday morning.

 Workaround for CVE-2021-40444 zero-day Attacks

As there is no security update available at this time, Microsoft has facilitated the following workaround – disable the installation of all ActiveX controls in Internet Explorer. A Windows registry update ensures that ActiveX is rendered inactive for all sites, while already available ActiveX controls will preserve the functioning.

Users should save the file below with the.REG extension and run it to apply it to the Policy hive. After a system reboot, the new configuration should be applied. As updates are not available yet for the CVE-2021-40444, they have released the following workaround that prevents ActiveX controls from running in Internet Explorer and applications that embed the browser.

Following are the steps to disable the ActiveX controls:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

“1001”=dword:00000003

“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

“1001”=dword:00000003

“1004”=dword:00000003

Once you reboot your computer, ActiveX controls will be disabled in Internet Explorer.

When Microsoft facilitates an official security update for this vulnerability, you can remove this temporary Registry fix by manually removing the created Registry keys.

Leave a Reply