Microsoft has summarized a remote code execution vulnerability in MSHTML and provided potential workarounds. The Security vulnerability is MITRE CVE-2021-40444 according to which an attacker can enter the system using specially-crafted Microsoft Office documents. He could contrive a malicious ActiveX control that a Microsoft Office document can use then persuade the user to open the document. Obviously, users having administrative privilege are at more risk than those having fewer rights. Thankfully, there is a workaround to solve CVE-2021-40444 Office Vulnerability in Windows.
In order to protect Windows from this vulnerability, Microsoft Defender Antivirus and Microsoft Defender for Endpoint should be having the latest update. You can check the version info and follow How to Check Protection Updates for Threat Definitions to keep the app up-to-date. If you are using automatic updates then additional action is not necessary. Windows Enterprise users who control updates should choose the detection build at least 1.349.22.0 and deploy it across their environments. Alerts will be shown as Suspicious Cpl File Execution by Microsoft Defender for Endpoint.
CVE-2021-40444 Vulnerability for Office via malicious ActiveX control in Windows
Here is How to Fix CVE-2021-40444 Office Vulnerability in Windows 10 –
Disabling the installation of all ActiveX controls in Internet Explorer (IE) using registry modifications will successfully mitigate this attack. Note that previously installed ActiveX controls will be running and they will not expose this CVE vulnerability. To disable installing ActiveX controls in Internet Explorer in all zones, follow the steps –
- Right-click on desktop and select New > Text Document
- Double click and open the ‘document’.
- Copy the following text and paste into the document
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] "1001"=dword:00000003 "1004"=dword:00000003 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1001"=dword:00000003 "1004"=dword:00000003
- Click on Files then on Save as
- Next, click on Save as type and select – All files (*.*).
- Write the File name – disableactivexcontrol.reg (or some other that suits you but .reg extension is mandatory).
- Now, click Save.
- Go to the desktop and right click on disableactivexcontrol.reg and select Merge.
- Select Yes if UAC is prompted.
- On the confirmation dialog (named Registry Editor), click on ‘Yes’.
- Restart your computer to protect the system.
If you don’t want to be bothered to create the reg file here is the direct download link to fix CVE-2021-40444 Vulnerability –
- Download disableactivexcontrol.zip and extract the file.
- Now right click on disableactivexcontrol.reg snd choose ‘Merge’.
- Follow the step given above to complete.
This registry modification will set the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) state for all internet zones for 64-bit and 32-bit processes. Furthermore, new ActiveX controls will not be installed. Previously installed ActiveX controls will continue to run. Microsoft will come with an update later to address this
Source – Security guide.
0patch has tweeted that an official fix for CVE-2021-40444 is out. Following their plan, they will create a micropatch for affected Windows versions and push it to the devices –
Now that an official fix for CVE-2021-40444 is out and confirming our planned approach, we’ll create a micropatch for affected Windows versions we’ve “security adopted” that aren’t getting Windows Updates anymore. https://t.co/OPGTFNsBr9
— 0patch (@0patch) September 14, 2021