With Windows MSHTML zero-day (CVE-2021-40444) tutorials and exploits currently available on hacking forums, hackers now have a chance to abuse this new vulnerability in their attacks.
On Tuesday, Microsoft reported details of the Windows MSHTML zero-day vulnerability. This flaw allows hackers to generate malicious documents, such as Office and RTF documents, that may remotely execute commands on a victim’s computer.
Though Microsoft has disclosed the vulnerability, any security update relevant to it is yet to be issued. However, it has provided mitigations to prevent as much exploitation as possible. These mitigations block ActiveX components and previews of Word/RTF documents in Windows Explorer.
Significant relief is that after the vulnerability was revealed, Microsoft Defender and other security tools started to detect and block malicious documents and CAB files utilized in this attack.
There are also mitigations from Microsoft to disable ActiveX controls in Internet Explorer, the MSHTML protocol’s default handler, and document preview in Windows Explorer.
You can follow these steps for disabling ActiveX controls:
- Open Notepad, and then paste this text:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1001"=dword:00000003 "1004"=dword:00000003
- Save the document and name it as disable-activex.reg. It would be better to save it on the desktop and enable the display of file extensions.
- Go to the desktop and open the disable-activex.reg When the UAC prompt appears, click on Yes so that Registry entries get imported.
- To apply this new configuration, restart the PC.
For disabling the previews of Word and RTF documents, you can follow these steps:
- Navigate to these registry keys in Registry Editor (regedit.exe):
For Word Documents:
- docx\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
- doc\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
- docm\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
For RTF (Rich Text Files):
- rtf\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
- As a backup, create a copy of the Registry key.
- Now, double-click on Name and remove the Value Data in the Edit String dialog box.
- Finally, click on OK.
Launch the backup file created in the second step if you want to turn on the preview of documents in Windows Explorer.
These mitigations will surely help, but users need to remain cautious and treat all Word and RTF files suspiciously until an official security update is released.