Microsoft warns about new zero-day vulnerabilities, code could run when opening Office files

A remote code execution vulnerability exists in Microsoft Windows that could be exploited using Microsoft Office documentation to take control of the system. Attacks attempting to exploit this vulnerability have already been detected, but there are no patches and Microsoft has suggested a workaround.

CVE-2021-40444 --Security Update Guide --Microsoft --Microsoft MSHTML Remote Code Execution Vulnerability

https://www.bleepingcomputer.com/news/security/microsoft-shares-temp-fix-for-ongoing-office-365-zero-day-attacks/

Miscreants fling booby-trapped Office files at victims, no patch yet, says Microsoft • The Register
https://www.theregister.com/2021/09/07/microsoft_office_zero_day/

The vulnerability 'CVE-2021-40444' announced on September 7, 2021 affects Windows Server 2008-2019 and Windows 8.1-10, with a severity level of 8.8 out of a maximum of 10. ..

An MSHTML remote code execution vulnerability (CVE-2021-40444) has been exposed with a fixed exception. We have confirmed a limited attack. Please refer to the mitigation guidance and consider protecting your system. https://t.co/6A0xdSDinh

— Microsoft Security Team (@JSECTEAM) September 7, 2021

According to Microsoft, the vulnerability is related to remote code execution of the rendering engine 'MSHTML (Trident)' included in Windows. The company is already aware of targeted attacks that attempt to exploit this vulnerability, saying, 'Attackers have crafted ActiveX controls used by Microsoft Office documents hosted on the browser's rendering engine to give users. It prompts you to open a malicious document. A user whose account is configured to have less user privileges on the system may have less impact than a user who operates with administrative privileges. '

Microsoft is working on fixing the vulnerability, but the patch was not released at the time of writing the article, and Microsoft said as a countermeasure 'If Microsoft Office is the default setting, files on the Internet through Protected View or Application Guard for Office Open, these will prevent this attack. '' Microsoft Defender Antivirus and Microsoft Defender for Endpoints will also detect and protect against this vulnerability. Customers will keep their anti-malware products up to date. It should be updated. Customers with automatic updates do not need to take additional action. Corporate customers who manage updates choose a detection build newer than 1.349.22.0 and apply it to the entire environment. You need to. The Microsoft Defender for Endpoints alert should show 'Run Suspicious Cpl File'. '

In addition, Microsoft said there is a workaround to 'disable the installation of all ActiveX controls in Internet Explorer.' The method is as follows.

1: To disable the ActiveX control in all zones of Internet Explorer, first paste the following into a text and save it with a '.reg' extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 0]
'1001' = dword: 00000003
'1004' = dword: 00000003

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 1]
'1001' = dword: 00000003
'1004' = dword: 00000003

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 2]
'1001' = dword: 00000003
'1004' = dword: 00000003

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 3]
'1001' = dword: 00000003
'1004' = dword: 00000003

2: Double-click the above '.reg' to apply it to the policy hive.

3: Reboot the system as the new configuration applies.

In addition, since the monthly Windows Update is scheduled for September 15, 2021 (Wednesday), Japan time, it is expected that the patch will be distributed at this timing.