Updated on September 14, 2021, a fix for the flaw was made as part of the September Patch Tuesday Update. [Earlier this week, Microsoft warned of a new zero-day vulnerability that allows attackers to take over any Windows PC with a booby-trapped Office 365 file.
In Microsoft's security advisory for the flaw, cataloged as CVE-2021-40444, users are warned that when opening files downloaded from the Internet, Word, Excel, and PowerPoint display protected views of warning and should avoid clicking the "Enable Editing" button for such files, it states.
However, this problem is actually more serious and difficult to defend against. Nor is Office necessary for this exploit to work. As CERT/CC vulnerability analyst Will Dorman indicated yesterday (September 9) on Twitter, simply previewing a booby-trapped Rich Text Format (RTF) in File Explorer is enough to trigger the exploit
The exploit is not a simple one, but it is a very powerful one.
Although the actual attack mechanism of this exploit has not been disclosed, several security researchers have replicated this exploit and it has been actively used in attacks that appear to target primarily the United States.
Microsoft may patch this flaw in next Tuesday's monthly update, but until then it is unclear; Windows 7, 8.1, 10, and 11 are vulnerable, as are all versions of Microsoft Office.
For now, home Windows users can minimize their exposure to this attack by disabling Office's outdated Microsoft programming framework ActiveX (we show you how below) and running one of the best anti-virus programs available. minimized.
While these measures will protect Office and stop known malicious files, attackers can easily create new malicious files or use non-Office files. It's like playing whack-a-mole until Microsoft patches it. [At least until September 14, the only sure way to protect yourself from these attacks is to completely disable ActiveX in the Windows registry (the "master document" that manages each Windows system). This is a dangerous action unless you really know what you are doing, but I will show you how to do it.
This will disable the ability to view web-based content in Word, Excel, PowerPoint, and other Office applications.
WARNING: This involves editing the Windows registry, and one misstep could cause your Windows build to go very wrong.
As Microsoft itself states in its advisory warning of this exploit, "It can cause serious problems and may require a reinstallation of your operating system. Tom's Guide cannot be held responsible if this occurs and you do so at your own risk.
In addition, Word, Excel, PowerPoint, and other Office applications will no longer be able to display Web-based content, Internet Explorer will no longer function, and Windows' built-in File Explorer and Other programs may also be affected; Microsoft Edge is not affected.
1. make sure you are running Windows under an administrator account.
2. Copy and paste all of the following text into a text file:
3. Save the text file to your desktop with the extension ".reg". The file name is not important; it is the extension that is important.
4. locate the file on the desktop and double-click it.
5. A window will pop up warning you that editing the registry can cause bad things to happen, click "yes."
6. Restart the PC.
In the mid-1990s, Microsoft created a programming framework called ActiveX to compete with Java and JavaScript, two widely used tools for creating rich web content. It incorporated ActiveX into MSHTML, the rendering engine that powers the Internet Explorer web browser.
Although neither ActiveX nor Internet Explorer are currently being developed, MSHTML is still the default website rendering engine for Office and many default Windows programs, including Windows 11 [37] [38] MSHTML is still the default website rendering engine for Office and many default Windows programs, including Windows 11 Thus, Word, Excel, PowerPoint, File Explorer, and other common Microsoft applications use MSHTML and ActiveX.
Whether or not IE is actually installed on your system, you can assume that each of these programs has a mini Internet Explorer browser built in.
"Word uses MSHTML in a mostly unsecured way," security expert Kevin Beaumont wrote on Twitter this past Wednesday (September 8). 'It's a pretty rich attack surface.'
In this case, the attacker (believed to be part of the BazarLoader malware campaign) is sending out phishing emails with Word documents attached that may be of interest to recipients. A typical example appears to be a threat from a Minneapolis attorney that "you will be sued in small claims court."
While this example may seem like an obvious phishing email to many, attackers can scan your social media posts and create a document suitable for tricking you, as Dormann noted, to avoid protected views RTF files instead of Office files, or embed Word documents in Zip files or other compressed folders to avoid protected views.
When an Office or RTF file is opened, the Web-based content in the file launches MSHTML, which uses ActiveX to render the Web content.
Attackers have created malicious ActiveX "controls," or programming modules, customized to hijack PCs, but Beaumont said on Twitter that he found a way to trigger the exploit without using new ActiveX controls Beaumont stated on Twitter that he had found a way to trigger the exploit without using a new ActiveX control.
Whatever the mechanism, the end result is that the malware using the exploit gains the same privileges on the system as the current user. If you are running Windows as a limited user who cannot install, update, or remove applications, or change system settings, then the damage would be limited. However, if you are running Windows as an administrator, the malware can really take over your system.
The ultimate goal, at least in current malware campaigns, is to install a CobaltStrike backdoor into the system and create a permanent, hidden method of remote control.
Microsoft patched the flaw on Tuesday, September 14, in a scheduled round of Patch Tuesday updates. The patch is available for Windows 7 (extended support version) through Windows 10 version 21H1.
.
Comments