Microsoft has released some details about CVE-2021-40444, a zero-day remote code execution vulnerability in Trident, which is a proprietary browser engine used by Internet Explorer, Microsoft Office, Skype, the Windows Media Player, Valve’s Steam client, and many more products. The high-severity (CVSS: 8.8) flaw is being under active exploitation in the wild, targeting Office 365 users with maliciously crafted Office documents. All that is needed for the attack to work is to convince the user to open the document.
Right now, there’s no fixing update out, as Microsoft is still investigating and working on a fix. The Defender AV and Defender for Endpoint products have been updated to identify the exploitation efforts and serve alerts to the users who receive the malicious documents, so this is one way to deal with the threat. Another one would be to disable the installation of all ActiveX controls in Internet Explorer. To do that, paste the following into a text file and save it with the “.reg” file extension:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003
Then double-click on the newly created reg file to apply it to your Policy hive, and finally perform a system reboot for the configuration change to apply. This will prevent all new ActiveX controls from installation, so the malicious documents won’t harm the system if opened. Old ActiveX controls will continue to run, but these don’t affect the flaw, nor can they be leveraged for an attack.
BreachQuest’s co-founder, Jake Williams, told TechNadu:
In general, when receiving Office files, treat them with the extra caution they deserve. Sophisticated actors are already distributing malicious Docx files in highly targeted attacks, so if you have received a document from an address you see for the first time, don’t open it. Once a fix is out, hopefully on the upcoming Patch Tuesday, users may delete the reg file and return to their normal configuration.