Threat Alert

by IthacaLabs™

THREAT LEVEL/High 10/09/2021

New 0-Day Attack Targeting Windows Users With Microsoft Office Documents

Threat Level Description

Threat Level: High - An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that a new zero day attack targeting windows users through Microsoft Office documents, has been identified.

A remote unauthenticated attacker, by exploiting this zero day attack (CVE-2021-40444), could execute arbitrary code on the targeted system and even compromise it, depending on the affected user’s rights.

This remote code execution flaw (CVE-2021-40444) is currently delivered via malicious Office 365 documents and requires user input to trigger the malicious file.

This vulnerability is rooted in MSHTML, a proprietary browser engine for the now-discontinued Internet Explorer, which is used in Office to render web content inside Word, Excel, and PowerPoint documents.

These attacks utilize embedded malicious ActiveX controls in Microsoft Office documents that allow the execution of arbitrary code, when they are enabled.

Note that this remote code execution flaw is actively exploited in the wild.

Nevertheless, attackers have to persuade victims to open the malicious file.

Also, Microsoft Office handles documents, received over the Internet, in Protected View or through Application Guard for Office that can prevent this CVE-2021-40444 attack. However, users may click the Enable Editing button without second thought, thus disarming Microsoft’s security mechanisms.

CVE(s)

N/A

Affected Systems

  • Microsoft Windows
  • Recommendation(s)

    Microsoft is still investigating this issue. Thus, until a security patch or a directive from the vendor is available you should follow the below workarounds:

    Prohibit the installation of new ActiveX controls by adding a few keys to the system registry: (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444).

    Disabling the installation of all ActiveX controls in Internet Explorer mitigates this attack. This can be accomplished for all sites by configuring the Group Policy using your Local Group Policy Editor or by updating the registry. Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability.

    To disable ActiveX controls via Group Policy

    In Group Policy settings, navigate to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page

    For each zone:

    • Select the zone (Internet Zone, Intranet Zone, Local Machine Zone, or Trusted Sites Zone).
    • Double-click Download signed ActiveX controls and Enable the policy. Then set the option in the policy to Disable.
    • Double-click Download unsigned ActiveX controls and Enable the policy. Then set the option in the policy to Disable.

    We recommend applying this setting to all zones to fully protect your system.

    You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

    References

    Get the latest Threat Alerts in your inbox.