New 0-Day Attack Targeting Windows Users With Microsoft Office Documents

silversurfer

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,072
Content source
https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html
Microsoft on Tuesday warned of an actively exploited zero-day flaw impacting Internet Explorer that's being used to hijack vulnerable Windows systems by leveraging weaponized Office documents.

Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.

"Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents," the company said.

"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," it added.

The Windows maker credited researchers from EXPMON and Mandiant for reporting the flaw, although the company did not disclose additional specifics about the nature of the attacks, the identity of the adversaries exploiting this zero-day, or their targets in light of real-world attacks.
Click to expand...
Microsoft, upon completion of the investigation, is expected to either release a security update as part of its Patch Tuesday monthly release cycle or issue an out-of-band patch "depending on customer needs." In the interim, the Windows maker is urging users and organizations to disable all ActiveX controls in Internet Explorer to mitigate any potential attack.
Click to expand...
thehackernews.com

New 0-Day Attack Targeting Windows Users With Microsoft Office Documents

An active 0-day attack targets Windows users with Microsoft Office documents
thehackernews.com thehackernews.com
 
  • Like
  • Wow
  • +Reputation
Reactions: CyberTech, Nightwalker, Nevi and 10 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,231
However, the attack is thwarted if Microsoft Office runs with the default configuration, where documents from the web are opened in Protected View mode or Application Guard for Office 365.

Protected View is a read-only mode that has most of the editing functions disabled, while Application Guard isolates untrusted documents, denying them access to corporate resources, the intranet, or other files on the system.

Systems with active Microsoft’s Defender Antivirus and Defender for Endpoint (build 1.349.22.0 and above) benefit from protection against attempts to exploit CVE-2021-40444.

Microsoft's enterprise security platform will display alerts about this attack as "Suspicious Cpl File Execution."
Click to expand...
www.bleepingcomputer.com

Microsoft shares temp fix for ongoing Office 365 zero-day attacks

Microsoft today shared mitigation for a remote code execution vulnerability in Windows that is being exploited in targeted attacks against Office 365 and Office 2019 on Windows 10.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
Reactions: CyberTech, Nevi, [correlate] and 8 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,477
MSHTML rendering survives even after uninstalling Internet Explorer.:(
This exploit can potentially affect many applications that use MSHTML rendering (for example some email clients).
As we can see a simple drive-by download of RTF file can trigger this exploit via Windows Explorer preview feature. So one has to disable installing ActiveX controls and additionally disable preview in Windows Explorer (for RTF and MS Office documents):

Security Update Guide - Microsoft Security Response Center

msrc.microsoft.com msrc.microsoft.com

It is unclear for me if this can protect exploiting other applications.
 
Last edited:
  • Like
  • Wow
Reactions: mkoundo, upnorth, Nevi and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,477
The malware variants which work after opening the document can be also prevented by blocking ActiveX controls in MS Office. MSHTML will not trigger ActiveX control and the exploit will not work.
This mitigation is not as restrictive as Microsoft's recommendation (Microsoft recommends disabling ActiveX system-wide).

Edit1.
It is possible that a similar exploit can be created without using new ActiveX controls.


Edit2.
The control.exe is used in the attacks in the wild (so far). It is spawned by MS Office applications, so the attack should be mitigated (the malicious *.cpl file blocked) by the ASR rule "Block all Office applications from creating child processes".
For other applications (that use MSHTML rendering) similar mitigation can be used (via Exploit Protection in Security Center).
 
Last edited:
  • Like
  • Thanks
Reactions: mkoundo, upnorth, Nevi and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,477
I am curious how this exploit affects the file viewers (QuickLook, WinQuickLook, Air File Viewer Pro, File Viewer Plus, etc.).
 
  • Like
Reactions: Nevi
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,477
It seems that the exploit via a preview of RTF files in the Explorer is related (so far) to MS Office Word. The winword.exe is a parent process of control.exe. This attack vector bypasses MS Office Protected View for the documents downloaded from the Internet.
So far, MSHTML exploit can be blocked on the later infection chain by any security that can block child processes of MS Office applications. Of course, it will be blocked at the earlier stage by blocking ActiveX controls.

Anyway, this exploit can also affect other applications that use MSHTML:
blog.nviso.eu

Kusto hunting query for CVE-2021-40444

Kusto hunting query for CVE-2021-40444
blog.nviso.eu blog.nviso.eu

It is not clear to me if this exploit (Explorer's RTF preview) can work without MS Office. Explorer does not require an external application to preview RTF files. But, the preview should not allow ActiveX.:unsure:
The possible attacks via 3rd party file viewers are not so dangerous.
 
Last edited:
  • Like
Reactions: Nevi, SeriousHoax, wat0114 and 1 other person
upnorth

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
There been several samples that abuse this exploit in " the wild " so to speak for almost 2 weeks now, but the good part is that more or less all major AV vendors al ready cover those samples and kill them very well. I tested a whole bunch yesterday from common repositories with F-Secure and it didn't flinch once, but nailed and deleted the samples automatic as soon I tried to unpack them from the compressed archives. I actually only seen one small not really a conclusive test IMO of EDRs against this exploit. Bitdefender was the one so far that can't fully remove the payload sample, but it still blocks the attack.

 
  • +Reputation
  • Like
Reactions: silversurfer, wat0114, The_King and 4 others
You must log in or register to reply here.

Similar threads

lokamoka820
    • Like
    • +Reputation
Security News Microsoft Office Apps Provide a New Path for Hackers
Replies
0
Views
2,124
Security News
lokamoka820
lokamoka820
Gandalf_The_Grey
    • Like
    • +Reputation
Microsoft: Unpatched Office zero-day exploited in NATO summit attacks
Replies
0
Views
1,296
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Security News Windows driver zero-day exploited by Lazarus hackers to install rootkit (patched August 2024)
Replies
0
Views
1,570
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top