Skip to main content

Microsoft Windows Remote Code Execution Vulnerability

Last Update Date: 16 Sep 2021 Release Date: 8 Sep 2021 5456 Views

RISK: High Risk

TYPE: Operating Systems - Windows OS

TYPE: Windows OS

A vulnerability has been identified in Microsoft Windows, a remote user can exploit this vulnerability to trigger remote code execution on the targeted system.

 

This vulnerability impacts MSHTML, a component used in Office applications to render web-hosted content. The attacker can exploit this vulnerability by luring users to open a specially-crafted Microsoft Office document containing a malicious Active X control. Once the users open the malicious document, an attacker can remotely execute malicious code on the targeted system. On the other hand, the users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

 

Note:
CVE-2021-40444 is being exploited in the wild.

 

[Important Updated 15-September-2021] Microsoft has released patch to fix this vulnerability in Monthly Security Update on 15-September-2021, please refer to Microsoft Monthly Security Update (September 2021) for details.

 

[Updated on 2021-09-16] The risk level is changed from extremely high risk to high risk correspondingly.


Impact

  • Remote Code Execution

System / Technologies affected

  • Microsoft Windows 7
  • Microsoft Windows 8.1
  • Microsoft Windows 10
  • Microsoft Windows RT 8.1
  • Microsoft Windows Server version 20H2
  • Microsoft Windows Server version 2004
  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2022

 

Please refer to the link below for detail:

 


Solutions

[Important Updated 15-September-2021]

Before installation of the software, please visit the vendor web-site for more details.

  •  Apply fixes issued by the vendor.

 

If you cannot apply this patch immediately, you are suggested to use workaround first.

 

For the affected system mentioned above, apply the following workaround to disable the ActiveX control:

  1. To disable installing ActiveX controls in Internet Explorer in all zones, paste the following into a text file and save it with the .reg file extension:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
    "1001"=dword:00000003
    "1004"=dword:00000003
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
    "1001"=dword:00000003
    "1004"=dword:00000003
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
    "1001"=dword:00000003
    "1004"=dword:00000003
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    "1001"=dword:00000003
    "1004"=dword:00000003
  2. Double-click the .reg file to apply it to your Policy hive.
  3. Reboot the system to ensure the new configuration is applied.
     

Impact of workaround

This sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) for all internet zones for 64-bit and 32-bit processes. New ActiveX controls will not be installed. Previously-installed ActiveX controls will continue to run.

 

How to undo the workaround

Delete the registry keys that were added in implementing this workaround.

 

 


Vulnerability Identifier


Source


Related Link