Zero day CVE 2021-40444

Topic

New Reply

What is it? It’s (yet another) zero day attack that is a TARGETED only attack using Office and RTF file  to take ownership of your machine. Microsoft
[See the full post at: Zero day CVE 2021-40444]

Susan Bradley Patch Lady/Prudent patcher

5 users thanked author for this post.

The Surfing Pensioner, RetiredGeek, lmacri, Alex5723, abbodi86

Reply | Quote

Replies

For Pro/Edu/Ent editions, you can opt to adjust ActiveX controls via Group Policy to all zones, which is Microsoft’s recommended method.

In Group Policy settings, navigate to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page

For each zone:

Select the zone (Internet Zone, Intranet Zone, Local Machine Zone, or Trusted Sites Zone).

Double-click Download signed ActiveX controls and Enable the policy. Then set the option in the policy to Disable.

Double-click Download unsigned ActiveX controls and Enable the policy. Then set the option in the policy to Disable.

We recommend applying this setting to all zones to fully protect your system.

Impact of workaround.

This sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) for all internet zones for 64-bit and 32-bit processes. New ActiveX controls will not be installed. Previously-installed ActiveX controls will continue to run.

How to undo the workaround

Set the option in the policy to Enable.

Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

If debian is good enough for NASA...

3 users thanked author for this post.

Perq, RetiredGeek, Alex5723

Reply | Quote

Susan Bradley wrote:

We know not to turn on preview pane in Outlook.

I would hazard a guess that most Outlook users have the preview pane enabled.

But isn’t it relevant that most Office users also have the default Protected View?

Mitigations

By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack. For information about Protected View, see What is Protected View?.

2 users thanked author for this post.

BiltmoreLaker, carpintero

Reply | Quote

To enable this protection click on THIS registry file.

This downloads a REG file called EnableZerodayCVE-2021-40444.reg.

To clarify… this REG file does NOT enable the vulnerability, despite its name. It DISABLES it, i.e. prevents the vulnerability from occurring.

Reply | Quote

The only time I use RTF’s is in WordPad (Win 7).  Is WordPad in any danger?

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

Reply | Quote

The only time I use RTF’s is in WordPad

No worry.  Wordpad does not execute code.

1 user thanked author for this post.

Charlie

Reply | Quote

Microsoft patched this vulnerability 09/14 for most flavors of OS Server and Workstations.
In our Windows 10 1909, Server 2012 R2, and Server 2016 test group  IE11 will not start after applying the respective patches.  When IE11 is launched a white screen without any text or controls appears on the screen.  Nothing logged indicating something has been blocked.  The patches are:
Win10 1909 Sep Cumulative 5005566
Server 2012 R2 Sep Security Only KB5005627 and IE Cumulative KB5005563
Server 2016 Sep Cumulative KB5005573

Appreciate feedback if anyone else has seen this.

Reply | Quote