CVE-2021-40444 are ESET user protected?

[Jean-Claude 0]

Microsoft MSHTML Remote Code Execution Vulnerability

CVE-2021-40444  are ESET user protected?

[Marcos 5,074]

ESET detects known samples exploiting the vulnerability. The challenge is that the hashes or files found to be using the vulnerability have not been made public and the hashes you may find on Twitter or elsewhere on the Internet is rather just people guessing that they have found documents which are probably using the vulnerability which makes it difficult to verify detection.

[itman 1,659]

Anyone that has MS Office properly configured security-wise, doesn't have to worry about this:

Quote

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Namely:

Quote

Mitigations

By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack. For information about Protected View, see What is Protected View?.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

For commercial environments, Application Guard for Office which is available on all Win 10 Pro+ versions is strongly recommended. The reason being:

Quote

Office opens files from potentially unsafe locations in Application Guard, a secure container that's isolated from the rest of your data through hardware-based virtualization. Unlike Protected View, when Office opens files in Application Guard, you can securely read, edit, print, and save those files without having to re-open files outside the container.

https://support.microsoft.com/en-us/topic/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46

Edited September 9, 2021 by itman

[Jean-Claude 0]

Thank you, very helpfull.

[itman 1,659]

Here's the latest on this vulnerability: https://www.bleepingcomputer.com/news/microsoft/windows-mshtml-zero-day-defenses-bypassed-as-new-info-emerges/ .

The article gets into ways MS Office Protected View can be bypassed; namely its reliance on Mark-of-the-Web alternate data stream for downloaded attachments and ways that can be bypassed. As such and as the article notes, best not to open any document related attachments unless from known trusted sources.

I would say that Application Guard is still an effective mitigation against this.

Edited September 9, 2021 by itman

[itman 1,659]

Also if one was employing Eset recommended anti-ransomware HIPS rules to block any process startup from Office apps, that also should mitigate most attack vectors.

[PuterCare 3]

8 hours ago, itman said:

Also if one was employing Eset recommended anti-ransomware HIPS rules to block any process startup from Office apps, that also should mitigate most attack vectors.

Are these default rules or something that is documented but needs to be set up? I had a look in the help files and found the built-in policies in ESMC/PROTECT. Thanks

[Marcos 5,074]

33 minutes ago, PuterCare said:

Are these default rules or something that is documented but needs to be set up? I had a look in the help files and found the built-in policies in ESMC/PROTECT. Thanks

It's custom HIPS rules: https://support.eset.com/en/kb6119

They are not there by default since they may generate false positives especially in networks where scripting is used. After creating the rules we recommend monitoring the network for potential script-related issues and disable or adjust the appropriate rule(s), if necessary.

[itman 1,659]

Per the posted above linked bleepingcomputer.com article, here is how this vulnerability is being exploited.

What Microsoft needs to do to mitigate this is speed up removal of IE11: https://www.zdnet.com/article/microsoft-is-dropping-support-for-ie-on-many-versions-of-windows-10-on-june-15-2022/ .

Also Eset HIPS rule to block process startups from Office Word could be modified to only do so for x(64) and x(86) iexplore.exe. I assume no one uses IE11 anymore as their default browser ........

Quote

How CVE-2021-40444 is currently used in attacks

While we do not have the actual phishing emails used in the attacks, Beaumont has analyzed the malicious Word document to understand better how the exploit works.

Looks like this has been in the wild for a week or more. Uses the daft as F feature that allows Word to load a template from internet, that spawns IE and then trusts JS and ActiveX controls, then uses ../.. (yes it's 1999) to spawn .cpl file https://t.co/mOvaN9YLj6 pic.twitter.com/xLf2jVWyY5

— Kevin Beaumont (@GossiTheDog) September 8, 2021

Edited September 10, 2021 by itman

[itman 1,659]

Based on this .docx sample: https://www.joesandbox.com/analysis/476188/1/html , Eset and most other AVs are detecting the dropper file now.

[itman 1,659]

I missed this mitigation, so will post it now. Personally, I believe blocking IE11 startup from MS Office apps is the way to go. Or just block all startup of IE11 if you don't use it.

Oops - this mitigation has been bypassed by not using ActiveX controls anymore: https://twitter.com/GossiTheDog/status/1435570418623070210 . 😬

Quote

Workaround for CVE-2021-40444 zero-day attacks

As there is no security update available at this time, Microsoft has provided the following workaround - disable the installation of all ActiveX controls in Internet Explorer.

A Windows registry update ensures that ActiveX is rendered inactive for all sites, while already available ActiveX controls will keep functioning.

Users should save the file below with the .REG extension and execute it to apply it to the Policy hive. After a system reboot, the new configuration should be applied.

As updates are not available yet for the CVE-2021-40444, they have released the following workaround that prevents ActiveX controls from running in Internet Explorer and applications that embed the browser.

To disable ActiveX controls, please follow these steps:

1. Open Notepad and paste the following text into a text file. Then save the file as disable-activex.reg. Make sure you have the displaying of file extensions enabled to properly create the Registry file.
   
   Alternatively, you can download the registry file from here.

   Windows Registry Editor Version 5.00
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
   "1001"=dword:00000003
   "1004"=dword:00000003
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
   "1001"=dword:00000003
   "1004"=dword:00000003
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
   "1001"=dword:00000003
   "1004"=dword:00000003
   
   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
   "1001"=dword:00000003
   "1004"=dword:00000003

2. Find the newly created disable-activex.reg and double-click on it. When a UAC prompt is displayed, click on the Yes button to import the Registry entries.
3. Reboot your computer to apply the new configuration.

Once you reboot your computer, ActiveX controls will be disabled in Internet Explorer.

When Microsoft provides an official security update for this vulnerability, you can remove this temporary Registry fix by manually deleting the created Registry keys.

Alternatively, you can utilize this reg file to automatically delete the entries.

https://www.bleepingcomputer.com/news/security/microsoft-shares-temp-fix-for-ongoing-office-365-zero-day-attacks/

Edited September 10, 2021 by itman

[itman 1,659]

Latest mitigation for .rtf file use since the exploit has been modified to use these:

Quote

Disable document preview in Windows Explorer

Security researchers have also found that this vulnerability can be exploited by viewing a malicious document using the Windows Explorer preview feature.

CVE-2021-40444 is so bad pic.twitter.com/3Gu9ahwmHd

— jq0904 (@jq0904) September 10, 2021

Since this was discovered, Microsoft has added the following mitigation to disable previewing of RTF and Word documents:

1. In the Registry Editor (regedit.exe), navigate to the appropriate registry key:

   For Word documents, navigate to these keys:

   • HKEY_CLASSES_ROOT.docx\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
   • HKEY_CLASSES_ROOT.doc\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
   • HKEY_CLASSES_ROOT.docm\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}

   For rich text files (RTF), navigate to this key:

   • HKEY_CLASSES_ROOT.rtf\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
2. Export a copy of the Registry key as a backup.
3. Now double-click Name and in the Edit String dialog box, delete the Value Data.
4. Click OK,

Word document and RTF file previews are now disabled in Windows Explorer.

To enable Windows Explorer preview for these documents, double-click on the backup .reg file you created in step 2 above.

While these mitigations will help, as the exploit has been modified not to use ActiveX controls, users are still at risk until an official security update is released.

https://www.bleepingcomputer.com/news/microsoft/windows-mshtml-zero-day-exploits-shared-on-hacking-forums/

Edited September 13, 2021 by itman

[itman 1,659]

Quote

Microsoft today fixed a high severity zero-day vulnerability actively exploited in targeted attacks against Microsoft Office and Office 365 on Windows 10 computers.

The remote code execution (RCE) security flaw, tracked as CVE-2021-40444, was found in the MSHTML Internet Explorer browser rendering engine used by Microsoft Office documents.

According to Microsoft, CVE-2021-40444 impacts Windows Server 2008 through 2019 and Windows 8.1 or later, and it has a severity level of 8.8 out of the maximum 10.

"Microsoft has released security updates to address this vulnerability," the company said today in an advisory update published as part of this month's Patch Tuesday.

"Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately."

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-cve-2021-40444-mshtml-zero-day-bug/

Edited September 14, 2021 by itman

[Aryeh Goretsky 378]

Hello,

Just to follow up since I've been out of the office, CVE-2021-40444 is currently detected as DOC/TrojanDownloader.Agent.DIC and DOC/TrojanDownloader.Agent.DHY.

For more information, please see ESET Knowledgebase Article # 8122, Does ESET protect me from the Microsoft Windows remote code execution vulnerability CVE-2021-40444?

Regards,

Aryeh Goretsky

[itman 1,659]

14 hours ago, Aryeh Goretsky said:

Just to follow up since I've been out of the office, CVE-2021-40444 is currently detected as DOC/TrojanDownloader.Agent.DIC and DOC/TrojanDownloader.Agent.DHY.

Since the Eset KB article only addresses the ActiveX vulnerability, does Eset also protect against .rtf vulnerabilty?

[Aryeh Goretsky 378]

Hello,

Those detections are for files containing an exploit for the vulnerability.

Regards,

Aryeh Goretsky