Unpatched Windows 0-Day Bug Attacking Users Using MS Office Documents

As per the Microsoft investigation report, Remote code execution vulnerability in MSHTML affects Microsoft Windows. About the targeted attack Microsoft knows, they try to exploit the vulnerability by using specially crafted Microsoft Office documents.

The MSHTML is a browser rendering engine that allows the Microsoft Internet Explorer Web browser to read and display HTML Web pages.

An Attacker can craft the Microsoft Office document to control the malicious ActiveX, and host the browser that rendering the engine. First, the attacker has to convince the user for opening the malicious documents. User accounts have to be configured in the system so that users can get administrative rights quickly.

Microsoft assigned a CVE-2021-40444 for this MSHTML Remote Code Execution Vulnerability and marked it as a high severity vulnerability with the  8.8/10 impact level.

“Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.”

Soon after the specific ActiveX control will drop the malware onto the victim’s device which is called by Microsoft as “: “Suspicious Cpl File Execution”.

EXPMON is able to reproduce the attack on the latest Office 2019 / Office 365 on Windows 10 in the normal user environment.

Microsoft Defender Endpoint and Antivirus both provide the detection and protection against the vulnerability. The customer has to make sure that he keeps all the antimalware products up to date. Customers have to utilize the automatic updates, which do not need additional action every enterprise customer who can manage the updates, needs to select the detection by building 1.349.22.0. Microsoft defender endpoint alerts by displaying “Suspicious Cpl File Execution”.

After the investigation completion, Microsoft takes action to protect their valuable customers. This also includes the security update related to the monthly release of an out-of-cycle security update. Of course, everything depends on the customer’s needs.

Here mitigation and workaround section has been discussed so that user can protect their system from this vulnerability.

By Default Action:

Microsoft Office always opens the documents as an application guard for the office to prevent the current attacks.

ActiveX controls:

• It disables the ActiveX installation where the internet Explorer gets the mitigate attack. This is accomplished by the sites which run continuously but do not expose the vulnerability.
• Double-click the .reg file to apply it to your Policy hive.
• Reboot the system to ensure the new configuration is applied.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003

The above information all are Microsoft knowledge-based and without warranty. Microsoft disclaimed all warranties for a particular purpose. Some states provide its limitation for some incidental damage.

Follow us on Linkedin, Twitter, Facebook for daily Cybersecurity News & Updates