Microsoft recently hinted at an actively exploited security vulnerability that is using Microsoft 365 and MS Office 2019 documents. These weaponized documents can cause a lot of harm by downloading and executing malicious payloads.
The Internet Explorer MSHTML Remote Code Execution (RCE) vulnerability is currently out in the open. Officially tagged and tracked as CVE-2021-40444, the exploit can potentially compromise network security protocols.
MSHTML Remote Code Execution (RCE) vulnerability relies on malicious ActiveX controls to exploit Office 365 and Office 2019:
The CVE-2021-40444 is quite concerning. Back when Microsoft disclosed the security loophole, the company did not offer many details. However, security researchers have been uncovering some serious potential of the exploit.
Inspired by @buffaloverflow, I tested out the RTF attack vector. And it works quite nicely.
WHERE IS YOUR PROTECTED MODE NOW? pic.twitter.com/qf021VYO2R— Will Dormann (@wdormann) September 9, 2021
Microsoft had indicated the vulnerability uses malicious ActiveX controls to exploit Office 365 and Office 2019 on Windows 10. The exploit spreads through weaponized MS documents and tries to download and install malware on an affected computer.
Multiple security researchers have been warning about the security vulnerability. What’s even more concerning is that the same security loophole works with weaponized RTF files.
For bonus points I just modified it to not need a new ActiveX control, which beats the MS work around. Took about a minute. 🤦♀️https://t.co/oaVfJfzZcb
— Kevin Beaumont (@GossiTheDog) September 8, 2021
Microsoft has shared some ways to mitigate or prevent ActiveX controls from running in Internet Explorer, effectively blocking the current attacks. However, security researcher Kevin Beaumont has already discovered how to bypass Microsoft’s temporary workaround.
Needless to mention, with the newly-discovered bypass, and new file types to weaponize, the CVE-2021-40444 is getting more powerful and dangerous.
Microsoft 365 and MS Office 2019 ‘Protected View’ does offer some protection from weaponized documents but user behavior remains a serious problem:
Microsoft Office has a ‘Protected View’ feature. Technical jargon aside, the feature essentially blocks multiple aspects of any document obtained from the Internet.
When MS Office opens any document, it checks if it has a “Mark of the Web” (MoTW) tag. As the name indicates, the tag identifies the document as originated from the Internet.
To contextualise this, Protected View also protects against macros.. which are the single biggest source of malware in the security industry, as “Enable Content” in the UI disables it.
Application Guard for Office is an E5 only feature and isn’t used to open docs by default. pic.twitter.com/IiaCic9EWJ
— Kevin Beaumont (@GossiTheDog) September 7, 2021
The Protected View feature will only allow the document to open in a Read-only mode. This effectively blocks the CVE-2021-40444 0-Day exploit.
Needless to mention, many users have the habit of quickly clicking the ‘Enable Editing’ button to gain complete control over the document. This behavior undermines the security feature and allows the exploit to work.
Looks like this has been in the wild for a week or more. Uses the daft as F feature that allows Word to load a template from internet, that spawns IE and then trusts JS and ActiveX controls, then uses ../.. (yes it's 1999) to spawn .cpl file https://t.co/mOvaN9YLj6 pic.twitter.com/xLf2jVWyY5
— Kevin Beaumont (@GossiTheDog) September 8, 2021
What’s even more concerning is the fact that not all Microsoft Office documents that originate from the internet may have the MoTW flag. Threat actors can cleverly manipulate the medium and popular containers such as 7Zip to ensure the documents ship and arrive without the MoTW tag.
Be cautious about Office files – do not open if you don't fully trust the source! Also, now is a good time to check whether your Office is configured to open files in protected view or application guard. Disable ActiveX rendering to prevent exploitation https://t.co/WbQUC2EYJr
— Raluca (@ralucasaceanu) September 8, 2021
Simply put, threat actors can bypass the Protected View defense mechanism to launch the CVE-2021-40444 0-Day exploit. New reports about the exploit indicate the ultimate payload is installing a Cobalt Strike beacon
This can allow the threat actor to gain remote access to the device. Once the attacker successfully gains remote access to victims’ computers, multiple security exploits become possible.