Cybercriminals share tutorials and exploits For the Windows MSHTML zero-day vulnerability (CVE-2021-40444), in hacking forums, enabling other hackers to start exploiting the new vulnerability.
Last week, the Microsoft revealed a new zero-day vulnerability in Windows MSHTML. Vulnerability allows attackers to create malicious documents, included Office and RTF documents, to execute commands on the victim's computer remotely.
Security updates for the error are not yet available CVE-2021-40444. Zero-day vulnerability was discovered by the service EXPMON and the security company Mandiant and Microsoft decided to reveal the vulnerability and give some tips to prevent its exploitation.
To avoid a possible one attack, should block ActiveX controls and previews of Word / RTF documents in Windows Explorer.
Windows MSHTML zero-day: Drivers and PoCs posted on hacking forums
When Microsoft first discovered zero-day vulnerabilities (CVE-2021-40444) in Windows MSHTML, security researchers quickly found malicious documents used in attacks.
Investigators were able to replicate the attacks and modify the exploits for further possibilities, but did not disclose details to prevent other cybercriminals from exploiting them.
Unfortunately, attackers managed to reproduce the exploit on their own and malicious samples of documents were posted on the internet along with tutorials and PoCs.
Since last week, criminals started sharing information about the HTML component of exploit and how to create the malicious document. On Friday, more instructions were published for creation of the payload and a CAB file that included the path traversal vulnerability component.
On Saturday, as investigators began posting more details on Github and Twitter, criminals shared more details about how to create all aspects of exploit.
The information is simple and allows anyone to create their own working version of the zero-day vulnerability CVE-2021-40444, including a python server for distributing malicious documents and CAB files.
Windows MSHTML zero-day: Defense
Fortunately, there is good news in this case. From the revelation of the vulnerability onwards, Microsoft Defender and other security programs can detect and block malicious documents and CAB files used in this attack.
Microsoft has also given the following instructions for block ActiveX controls in Internet Explorer and previews in documents in Windows Explorer.
Deactivation ActiveX controls in Internet Explorer
Follow these steps:
Open Notepad and paste the following text into a text file. Then save the file as disable-activex.reg. Make sure you have the file extensions enabled to create the Registry file correctly.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1001"=dword:00000003 "1004"=dword:00000003
Find the newly created one disable-activex.reg and double-click on it. When a UAC message appears, click the "Yes" button to enter the Registry entries.
Make it restart on your computer to apply the new configuration.
After the reboot, the ActiveX controls will be disabled in Internet Explorer.
You can re-enable ActiveX controls by deleting the above Registry keys.
Disable document previews in Windows Explorer
Security researchers also found that Windows MSHTML zero-day vulnerabilities could be exploited with view a malicious document using the preview feature.
For this reason, Microsoft also suggested disabling preview in RTF and Word documents.
In Registry Editor (regedit.exe) go to the appropriate registry key:
For Word documents:
For RTF documents:
Export a copy of the Registry key as a backup.
Now double click on Name and delete the Value Data in the Edit String dialog box.
Previews are now disabled in Windows Explorer.
These two measures will help prevent an attack. However, users are still at risk until an official security update is released.
Source: Bleeping Computer