Addressing CVE-2021-40444: Microsoft MSHTML Remote Code Execution Vulnerability
CVE-2021-40444 is a critical remote code execution (RCE) vulnerability in Microsoft MSHTML, the rendering engine used by Internet Explorer and Microsoft Office. The vulnerability was publicly disclosed on September 7, 2021, and Microsoft confirmed active exploitation in targeted attacks. This security flaw allows attackers to use specially-crafted Microsoft Office documents to exploit the vulnerability. When a victim opens the malicious document, it triggers the download of a malicious ActiveX control via the MSHTML engine, resulting in remote code execution on the victim’s system. The vulnerability poses significant risks due to its high attack vector and low complexity of exploitation.
In this blog, we will delve into the details of CVE-2021-40444, including its nature, potential risks, and the steps organizations can take to mitigate or resolve this vulnerability.
Understanding CVE-2021-40444
Vulnerability Summary
– Vulnerability ID: CVE-2021-40444
– Severity: Critical (CVSS: 3.0 8.8 / 7.9)
– Attack Vector: Network
– Attack Complexity: Low
– Privileges Required: None
– User Interaction: Required
– Scope: Changed
– Confidentiality: Low
– Integrity: High
– Availability: Low
The vulnerability is centered around the MSHTML engine, which is a core component of Internet Explorer and Microsoft Office applications that render web content. An attacker can craft a malicious Microsoft Office document that hosts the MSHTML browser engine, exploiting the vulnerability by using an ActiveX control. Once the victim is tricked into opening the malicious document, the attacker can remotely execute arbitrary code on the system, potentially gaining full control. Systems where users have administrative privileges are at greater risk since the attacker can exploit the vulnerability to escalate privileges.
Exploitability and Detection
Exploitability
As of the original disclosure, exploitation of CVE-2021-40444 was actively detected in targeted attacks. Microsoft confirmed public disclosure of the vulnerability and observed instances of successful exploitation in the wild. Given that the attack vector relies on user interaction (opening a malicious file), the vulnerability is less likely to be exploited through fully automated attacks, but remains a serious concern for organizations due to the possibility of phishing attacks that deliver malicious documents to unsuspecting users.
Detection
Microsoft Defender Antivirus and Microsoft Defender for Endpoint provide built-in detection and protection mechanisms for this vulnerability. Microsoft released updated signatures, beginning with detection build 1.349.22.0, to identify and block malicious files attempting to exploit CVE-2021-40444. For organizations using Defender for Endpoint, suspicious activities related to the vulnerability are flagged with the alert: “Suspicious Cpl File Execution.”
Solutions and Mitigation Strategies
1. Applying Security Updates
The most effective solution to mitigate the risk posed by CVE-2021-40444 is to apply the security patches that Microsoft released on September 14, 2021. These updates address the vulnerability by correcting how MSHTML handles objects in memory. It is strongly recommended that organizations install these updates immediately to ensure full protection.
To determine which update is applicable to your system, refer to the Security Updates table provided by Microsoft.
For example:-
For Windows 10 (version 20H2), apply the update 5005565.
– For Windows Server 2016, apply the update 5005573.
Enterprise environments using Windows Update Services (WSUS) or other patch management solutions should ensure that the security update for CVE-2021-40444 is deployed across all relevant systems.
2. Disabling ActiveX Controls in Internet Explorer
Since the attack vector involves malicious ActiveX controls, one effective mitigation strategy is to disable ActiveX control installation in Internet Explorer. This can be done via Group Policy or by updating the Windows Registry.
Disabling ActiveX via Group Policy:
1. Open Group Policy Editor*(`gpedit.msc`).
2. Navigate to:
“`
Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
“`
3. For each security zone (Internet, Intranet, Trusted Sites, etc.), disable the download of signed and unsigned ActiveX controls by adjusting the following settings:
– Download signed ActiveX controls: Set to “Disable.”
– **Download unsigned ActiveX controls**: Set to “Disable.”
Disabling ActiveX via Windows Registry:
For individual systems, disabling ActiveX controls can be achieved by creating and applying a `.reg` file. Below is the registry key configuration that disables ActiveX control installation across all Internet zones:
“`
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
“1001”=dword:00000003
“1004”=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
“1001”=dword:00000003
“1004”=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
“1001”=dword:00000003
“1004”=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
“1001”=dword:00000003
“1004”=dword:00000003
“`
Double-click the `.reg` file to apply these settings, then reboot the system to ensure the configuration is applied. This mitigation prevents the installation of new ActiveX controls, although existing controls will continue to run.
3. Enabling Protected View and Application Guard for Office
By default, Microsoft Office opens files from the internet in Protected View, preventing files from executing active content like ActiveX controls unless explicitly enabled by the user. Organizations can further harden their defenses by enabling Application Guard for Office, which isolates files in a containerized environment, ensuring that any potentially malicious code is unable to affect the system.
For more information on configuring Protected View, visit Microsoft’s documentation [here](https://support.microsoft.com/en-us/office/what-is-protected-view-2c1e4c76-710a-45f9-85a9-3b630f85df34).
4. Attack Surface Reduction Rules
Organizations using **Microsoft Defender for Endpoint** can enable the attack surface reduction (ASR) rule **BlockOfficeCreateProcessRule**, which prevents Office applications from creating child processes, a common technique used by malware to execute additional malicious payloads. This ASR rule adds another layer of protection by blocking any attempts by malicious Office documents to exploit CVE-2021-40444.
5. Disabling Document Preview in Windows Explorer
In some attack scenarios, users might preview a malicious file in Windows Explorer, inadvertently triggering the vulnerability. Disabling document previews in Explorer for file types such as `.docx`, `.rtf`, or `.docm` is an additional layer of defense. This can be done by modifying the Windows Registry to prevent certain file types from being previewed. For example, for Word documents:
“`
HKEY_CLASSES_ROOT\.docx\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}
“`
By removing the value data for these keys, users are prevented from previewing files of these types in Explorer.
Conclusion
CVE-2021-40444 is a serious security vulnerability that requires immediate attention. While Microsoft has provided patches to address the issue, additional mitigations such as disabling ActiveX controls, using Protected View and Application Guard for Office, and applying attack surface reduction rules further strengthen organizational defenses. Organizations should prioritize patching, but also adopt these supplementary mitigations to protect their environments from potential exploitation.
By combining these approaches, IT administrators can significantly reduce the risk posed by this critical vulnerability and safeguard their systems against future attacks.