About

Critical MSHTML Remote code execution vulnerability affects Microsoft Windows – resolved on 13.09.21

Microsoft has shared details about the latest vulnerability found by multiple security researchers. The vulnerability has a CRITICAL severity and a CVSS score of 8.8. The vulnerability has been given a CVE tracking number of CVE-2021-40444. It affects Microsoft Windows based computers that could be infected with malicious code, through ActiveX controls on a compromised Internet Explorer. CVE details of the vulnerability will be listed once Microsoft shares details of the fix that could be applied against the exploit.

Update – 14.09.21 – Microsoft released a Tuesday patch that fully patches the MSHTML vulnerability on Windows. The vulnerability under CVE-2021-40444 is fully patched now. Please download the Tuesday patch from the Microsoft website and ensure protection for your IT infrastructure. Use the Monthly rollup update for your software version to patch the CVE-2021-40444 vulnerability. Thanks to the Microsoft security research team. This one needed a quick fix.

Update – 13.09.21 – There are significant attempts that are being made to exploit the MSHTML vulnerability through MS-Office documents and RTF documents. The past weekend has seen hacking forums getting full of freely downloadable exploits. Given this understanding, we advise that you must stay clear of opening downloaded office files and RTF files on your systems. Even a ‘Preview Document’ operation should be avoided. Since Microsoft is already investigating the issue, we expect a resolution or patch in the near future.

If for some reason, you wish to download an important file, check for the veracity of the file on Virus Total. To know more about Virus Total, check our detailed instruction set about virus total and other online malware software on this page that talks about online file scanners.

As of 10th September, there are a lot many twitter posts that indicate that security researchers have been able to bypass the ‘Protected View’ through the use of .RTF files. It is strongly suggested that if you get any email attachment files, check them through the Virus Total website. Do not open any attachments on your computer before scanning these for hidden malware.

Microsoft has released mitigation and workarounds to prevent the attackers from exploiting your system. This vulnerability needs to be accorded significance on priority because we are seeing zero-day remote code execution attacks that are trying to target the exploit and send malicious payloads in genuine-looking Microsoft office documents.

What is the ActiveX vulnerability found on Microsoft Windows?

An attacker will target a user using Microsoft office files. An office file sent by an attacker may contain a malicious payload and induce a user to open a file on the affected computer. Such a file may contain ActiveX controls that will cause malware infection on the system. Essentially, a malicious ActiveX control that masquerades as an original office document file is likely to cause issues on the computer.

How can I protect against the ActiveX or SHTML vulnerability on Microsoft Windows?


There are some best practices that have been mentioned by Microsoft. These best practices will protect you against malicious ActiveX payloads. We list all of these below:

  • Enable Microsoft Defender antivirus and Defender endpoint protection. Defender antivirus and endpoint protection will protect against the MSHTML Remote Code Execution vulnerability on Microsoft Windows. The defender endpoint protection module will throw an alert – “Suspicious Cpl File Execution”.
  • Use an antivirus and anti-malware protection on your computer. In normal course of things, the antivirus and antimalware will quarantine the malicious payload, rather than affecting your system.
  • If your computer is set to download ‘automatic updates’ from Microsoft, no further action is needed by you. You will be automatically protected against this vulnerability.
  • Enterprise customers of Microsoft are advised to download the detection build 1.349.22.0 or later. This will protect the system against the SHTML remote execution vulnerability.

What is the CVE number and score of the vulnerability?


The remote code execution vulnerability has been accorded a CVE number of CVE-2021-40444. No details of the vulnerability are available on the CVE site. More details will be updated once Microsoft has found a fix for the issue. Currently, the issue is under investigation by Microsoft’s team.

The CVSS rating of the vulnerability is 8.8, thus making it a CRITICAL vulnerability. This is a zero-day remote code execution attack vulnerability, and administrators and users must enforce mitigation or workarounds suggested by Microsoft on an immediate basis. The type of the vulnerability is ‘Remote Code Execution’ and Microsoft has found out that it is being exploited by the attackers. Immediate security incident response must be prepared to prevent any loss of data for business users.

Is there a fix of the ActiveX vulnerability on Microsoft Windows?


No, there is no fix for the vulnerability as I write this. However, Microsoft has released a mitigation strategy and workaround to protect against being exploited through the MSHTML remote code execution vulnerability. The workaround needs registry editing on the Windows computer to disable any new ActiveX controls from being installed on the system.

We have listed the workaround below the mitigation plan.

Mitigation of the ActiveX vulnerability for Microsoft Windows computers


The vulnerability allows attackers and hackers to use malicious payloads in Microsoft office documents. Anytime you get a Microsoft office document through Internet, open the document in ‘Protected View’. In some computers, Microsoft office documents open in application guard environment. If you ensure that any documents downloaded from the Internet are opened in the ‘Protected View’ or the ‘Application Guard View’, the malicious document will be quarantined and it will not open on your system.

How can I enable Protected view for documents downloaded from the Internet?


‘Protected view’ is the default setting for any documents that are downloaded from the Internet. However, if you wish to enable ‘Protected view’ on systems that do not seem to have the setting, please follow the instructions below:

  1. Open Microsoft Word or PowerPoint or Excel. On the File menu, choose Options as shown below:

2. From the options menu, you need to select ‘Trust Center’:

3. Choose ‘Trust Center Settings’ to bring up the trust center settings. By default, the trust center settings will open on ‘macro view’. Choose ‘Protected view’ instead, and ensure that all three properties of ‘Protected View’ are checked as per the below screen shot.

What is the workaround for the ActiveX vulnerability on Microsoft Windows?


The workaround for ActiveX or SHTML vulnerability involves editing the registry to prevent new ActiveX controls from being installed on your computer’s Internet explorer. The vulnerability works through the Internet explorer and targets the browser.

The workaround given below has been taken from the Microsoft website:

1. To disable ActiveX controls on an individual system:

To disable installing ActiveX controls in Internet Explorer in all zones, paste the following into a text file and save it with the .reg file extension:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003

2. Double-click the .reg file to apply it to your Policy hive.

3. Reboot the system to ensure the new configuration is applied.

Impact of workaround.

This sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) for all internet zones for 64-bit and 32-bit processes. New ActiveX controls will not be installed. Previously-installed ActiveX controls will continue to run.


from the Microsoft website - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

Microsoft has released another fix for the vulnerability that will disallow ‘Preview’ document in Windows explorer.

Here is what Microsoft has stated on the security release document for this fix to disable preview in Windows explorer:

To disable preview in Windows Explorer

Disabling Shell Preview prevents a user from previewing documents in Windows Explorer. Follow these steps for each type of document you want to prevent being previewed:

In Registry Editor, navigate to the appropriate registry key:

For Word documents:

HKEY_CLASSES_ROOT.docx\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
HKEY_CLASSES_ROOT.doc\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
HKEY_CLASSES_ROOT.docm\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}

For rich text files:

HKEY_CLASSES_ROOT.rtf\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
Export a copy of the regkey for backup.
Double-click Name and in the Edit String dialog box, delete the Value Data.
Click OK,

Summary


The SHTML Remote Code Execution vulnerability on Microsoft Windows is a critical vulnerability that affects the target computer’s Internet explorer and causes the system to be infected with malware. Thankfully, the mitigation and workarounds suggested by Microsoft are straightforward and can be implemented to protect against this remote code execution vulnerability.