Microsoft Releases Mitigations and Workarounds for Office Zero-Day RCE Flaw

• Microsoft has released an urgent security advisory about a nasty Office zero-day RCE vulnerability.
• Right now, the only way to deal with the attacks is through mitigations and caution, but a fix should be out soon.
• The vulnerable component is used by a galore of software products, so the exploitation is likely to go beyond just the Office.

Microsoft has released some details about CVE-2021-40444, a zero-day remote code execution vulnerability in Trident, which is a proprietary browser engine used by Internet Explorer, Microsoft Office, Skype, the Windows Media Player, Valve’s Steam client, and many more products. The high-severity (CVSS: 8.8) flaw is being under active exploitation in the wild, targeting Office 365 users with maliciously crafted Office documents. All that is needed for the attack to work is to convince the user to open the document.

Right now, there’s no fixing update out, as Microsoft is still investigating and working on a fix. The Defender AV and Defender for Endpoint products have been updated to identify the exploitation efforts and serve alerts to the users who receive the malicious documents, so this is one way to deal with the threat. Another one would be to disable the installation of all ActiveX controls in Internet Explorer. To do that, paste the following into a text file and save it with the “.reg” file extension:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003 

Then double-click on the newly created reg file to apply it to your Policy hive, and finally perform a system reboot for the configuration change to apply. This will prevent all new ActiveX controls from installation, so the malicious documents won’t harm the system if opened. Old ActiveX controls will continue to run, but these don’t affect the flaw, nor can they be leveraged for an attack.

BreachQuest’s co-founder, Jake Williams, told TechNadu:

In general, when receiving Office files, treat them with the extra caution they deserve. Sophisticated actors are already distributing malicious Docx files in highly targeted attacks, so if you have received a document from an address you see for the first time, don’t open it. Once a fix is out, hopefully on the upcoming Patch Tuesday, users may delete the reg file and return to their normal configuration.