Coming Soon...

Q-CERT website is currently under maintenance. We should be back shortly. Thank you for yor patience.

Microsoft MSHTML Remote Code Execution Vulnerability

Issued: 
Thursday, 9 September, 2021
Last Revision: 
Thursday, 9 September, 2021
Vendor: 
Microsoft
Product: 
Multiple products
Severity Level: 
High
Summary: 
Microsoft said on 7th September 2021, that some of its users are been targeted by poisoned office documents that exploit an unpatched flaw to hijack windows machines.
CVE-2021-40444 is described as a hole in MSHTML, Internet Explorer’s browser engine. Cyber Criminals are seemingly placing a malicious ActiveX control in a n Microsoft Office documents and convincing victims to open or view it, potentially achieving remote code execution.
Exploitation of this vulnerability may allow a remote attacker to take control of an affected system.
This vulnerability has been detected in exploits in the wild.
 
 

Description

CVE

CVSS3.0 Score

Remote code execution vulnerability in MSHTML that affects Microsoft Windows.

CVE-2021-40444

8.8

 

                                                                Table 1: Vulnerability details

 

Vulnerability / CVE

Affected Product(s)

CVE-2021-40444

Windows 7 for x64-based Systems Service Pack 1

Windows 7 for 32-bit Systems Service Pack 1

Windows Server 2012 R2 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 (Server Core installation)

Windows Server 2012

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows RT 8.1

Windows 8.1 for x64-based systems

Windows 8.1 for 32-bit systems

Windows Server 2016 (Server Core installation)

Windows Server 2016

Windows 10 Version 1607 for x64-based Systems

 

Windows 10 Version 1607 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 for 32-bit Systems

Windows Server, version 20H2 (Server Core Installation)

Windows 10 Version 20H2 for ARM64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for x64-based Systems

Windows Server, version 2004 (Server Core installation)

Windows 10 Version 2004 for x64-based Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for 32-bit Systems

Windows Server 2022 (Server Core installation)

Windows Server 2022

Windows 10 Version 21H1 for 32-bit Systems

Windows 10 Version 21H1 for ARM64-based Systems

Windows 10 Version 21H1 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for 32-bit Systems

Windows Server 2019 (Server Core installation)

Windows Server 2019

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for 32-bit Systems

 

                                                                      Table 2 : Vulnerable versions

Recommendation: 

Microsoft has published workaround information about steps you can take to protect your system from this vulnerability.

Disabling the installation of all ActiveX controls in Internet Explorer mitigates this attack. This can be accomplished for all sites by updating the registry. Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability.

 

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

 

To disable ActiveX controls on an individual system:

  1. To disable installing ActiveX controls in Internet Explorer in all zones, paste the following into a text file and save it with the .reg file extension:

 

Windows Registry Editor Version 5.00 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersi

on\Internet Settings\Zones\0]

"1001"=dword:00000003

"1004"=dword:00000003

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersi on\Internet Settings\Zones\1]

"1001"=dword:00000003

"1004"=dword:00000003

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersi

on\Internet Settings\Zones\2]

"1001"=dword:00000003

"1004"=dword:00000003

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersi on\Internet Settings\Zones\3]

"1001"=dword:00000003

"1004"=dword:00000003

  1. Double-click the .reg file to apply it to your Policy hive.
  2. Reboot the system to ensure the new configuration is applied.

 

Impact of workaround.

 

This sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) for all internet zones for 64bit and 32-bit processes. New ActiveX controls will not be installed. Previously-installed ActiveX controls will continue to run.

 

How to undo the workaround

 

Delete the registry keys that were added in implementing this workaround.

 

References: 
Microsoft MSHTML Remote Code Execution Vulnerability
Miscreants fling booby-trapped Office files at victims, no patch yet, says Microsoft