New 0-Day Attack Targeting Windows Users With Microsoft Office Documents

silversurfer

Level 75
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,427
Microsoft on Tuesday warned of an actively exploited zero-day flaw impacting Internet Explorer that's being used to hijack vulnerable Windows systems by leveraging weaponized Office documents.

Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.

"Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents," the company said.

"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," it added.

The Windows maker credited researchers from EXPMON and Mandiant for reporting the flaw, although the company did not disclose additional specifics about the nature of the attacks, the identity of the adversaries exploiting this zero-day, or their targets in light of real-world attacks.
Microsoft, upon completion of the investigation, is expected to either release a security update as part of its Patch Tuesday monthly release cycle or issue an out-of-band patch "depending on customer needs." In the interim, the Windows maker is urging users and organizations to disable all ActiveX controls in Internet Explorer to mitigate any potential attack.
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,983
However, the attack is thwarted if Microsoft Office runs with the default configuration, where documents from the web are opened in Protected View mode or Application Guard for Office 365.

Protected View is a read-only mode that has most of the editing functions disabled, while Application Guard isolates untrusted documents, denying them access to corporate resources, the intranet, or other files on the system.

Systems with active Microsoft’s Defender Antivirus and Defender for Endpoint (build 1.349.22.0 and above) benefit from protection against attempts to exploit CVE-2021-40444.

Microsoft's enterprise security platform will display alerts about this attack as "Suspicious Cpl File Execution."
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,152
MSHTML rendering survives even after uninstalling Internet Explorer.:(
This exploit can potentially affect many applications that use MSHTML rendering (for example some email clients).
As we can see a simple drive-by download of RTF file can trigger this exploit via Windows Explorer preview feature. So one has to disable installing ActiveX controls and additionally disable preview in Windows Explorer (for RTF and MS Office documents):

It is unclear for me if this can protect exploiting other applications.
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,152
The malware variants which work after opening the document can be also prevented by blocking ActiveX controls in MS Office. MSHTML will not trigger ActiveX control and the exploit will not work.
This mitigation is not as restrictive as Microsoft's recommendation (Microsoft recommends disabling ActiveX system-wide).

Edit1.
It is possible that a similar exploit can be created without using new ActiveX controls.

Edit2.
The control.exe is used in the attacks in the wild (so far). It is spawned by MS Office applications, so the attack should be mitigated (the malicious *.cpl file blocked) by the ASR rule "Block all Office applications from creating child processes".
For other applications (that use MSHTML rendering) similar mitigation can be used (via Exploit Protection in Security Center).
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,152
I am curious how this exploit affects the file viewers (QuickLook, WinQuickLook, Air File Viewer Pro, File Viewer Plus, etc.).
 
  • Like
Reactions: Nevi

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,152
It seems that the exploit via a preview of RTF files in the Explorer is related (so far) to MS Office Word. The winword.exe is a parent process of control.exe. This attack vector bypasses MS Office Protected View for the documents downloaded from the Internet.
So far, MSHTML exploit can be blocked on the later infection chain by any security that can block child processes of MS Office applications. Of course, it will be blocked at the earlier stage by blocking ActiveX controls.

Anyway, this exploit can also affect other applications that use MSHTML:

It is not clear to me if this exploit (Explorer's RTF preview) can work without MS Office. Explorer does not require an external application to preview RTF files. But, the preview should not allow ActiveX.:unsure:
The possible attacks via 3rd party file viewers are not so dangerous.
 
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,444
There been several samples that abuse this exploit in " the wild " so to speak for almost 2 weeks now, but the good part is that more or less all major AV vendors al ready cover those samples and kill them very well. I tested a whole bunch yesterday from common repositories with F-Secure and it didn't flinch once, but nailed and deleted the samples automatic as soon I tried to unpack them from the compressed archives. I actually only seen one small not really a conclusive test IMO of EDRs against this exploit. Bitdefender was the one so far that can't fully remove the payload sample, but it still blocks the attack.

 
Top