Microsoft Releases Mitigations and Workarounds for Office Zero-Day RCE Flaw

Last updated September 21, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Microsoft has released some details about CVE-2021-40444, a zero-day remote code execution vulnerability in Trident, which is a proprietary browser engine used by Internet Explorer, Microsoft Office, Skype, the Windows Media Player, Valve’s Steam client, and many more products. The high-severity (CVSS: 8.8) flaw is being under active exploitation in the wild, targeting Office 365 users with maliciously crafted Office documents. All that is needed for the attack to work is to convince the user to open the document.

Right now, there’s no fixing update out, as Microsoft is still investigating and working on a fix. The Defender AV and Defender for Endpoint products have been updated to identify the exploitation efforts and serve alerts to the users who receive the malicious documents, so this is one way to deal with the threat. Another one would be to disable the installation of all ActiveX controls in Internet Explorer. To do that, paste the following into a text file and save it with the “.reg” file extension:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003 

Then double-click on the newly created reg file to apply it to your Policy hive, and finally perform a system reboot for the configuration change to apply. This will prevent all new ActiveX controls from installation, so the malicious documents won’t harm the system if opened. Old ActiveX controls will continue to run, but these don’t affect the flaw, nor can they be leveraged for an attack.

BreachQuest’s co-founder, Jake Williams, told TechNadu:

MSHTML is a component used by myriad applications on Windows. If you've ever opened an application that seemingly "magically" knows your proxy settings, that's likely because it uses MSHTML under the hood. While there are currently few details available about the vulnerability, the impact is likely to extend beyond MS Office. Vulnerabilities like these tend to have extremely long lifetimes for exploitation in the wild, highlighting the need for security monitoring and periodic threat hunting.

In general, when receiving Office files, treat them with the extra caution they deserve. Sophisticated actors are already distributing malicious Docx files in highly targeted attacks, so if you have received a document from an address you see for the first time, don’t open it. Once a fix is out, hopefully on the upcoming Patch Tuesday, users may delete the reg file and return to their normal configuration.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: