About this article
There is a lot of information about important vulnerabilities in the world, and this short error report outlines the latest vulnerabilities, which is worth noting. For many years, our team did not rely on a single scoring system (such as CVSS) and made qualitative analysis based on experience. We will study the characteristics of worm possibility, uneven distribution of targets, possible abuse and impact. Now, we will focus on CVE-2021-40444.
CrossView:CVE-2021-40444
About CVE-2021-40444
CVE-2021-40444 is a vulnerability in Office applications that use protected views such as Word, PowerPoint, and Excel. Allows an attacker to execute remote code (RCE). CVE-2021-40444 is a vulnerability that allows you to launch specially crafted ActiveX controls and malicious MS cabinet (.cab) files from Office documents.
Most importantly, the vulnerability affects the application itself and the preview pane of the Resource Manager (Windows Explorer/File Explorer).
Reasons to pay attention to
Many people who are using or installing Microsoft Office applications should be worried.
Office is one of the most widely used applications on earth. You may also be opening Office now. Many enterprises disable macros in Office documents at the group policy level, but I don't think ActiveX is treated the same way. In other words, if the data is not properly managed, many Office users will be exposed to this vulnerability.
Fortunately, email providers mark malicious files (at least known PoC) as potential malware and remove them as attachments. As a result, compared with technology, "spray and pray" e-mail campaigns rarely take advantage of this loophole to spread.
Prevent the abuse of loopholes
It's not impossible to do it. By default, Windows uses a flag called Mark of the Web (MoTW) to enable Office protection mode. The MoTW flag is set in email attachments and network downloads to prevent network operations, ActiveX controls, and macros embedded in the document from being executed in protected mode, thus preventing malicious exploitation of this vulnerability.
However, users are used to displaying protected messages and often turn off the display regardless of the results. Attackers can take advantage of this common human response to risk the target machine because they may install malware without proper confirmation.
In addition, the Office application itself or the explorer preview pane may be utilized, but the preview pane in Outlook works in a completely different way and therefore will not be abused. Why there is such a difference can only be explained by Microsoft, that is, Outlook users must explicitly open malicious files in order to be abused. The more steps a user takes to open a malicious file, the less likely it is to be abused.
The cause of the problem
The situation is completely different, depending on how the file is delivered and where the user saves it.
In addition to email and network downloads, there are many ways to get files, including camera flash cards, Sam drives, and external hard drives. Files opened from these sources (and many common applications [1]) do not have the MoTW flag set. That is, attackers can send malicious files through .7z archives or send them as part of a disk image, or discard USB flash drives on the channel, avoiding protection altogether. Persuading users to open such files is not as difficult as other social engineering strategies.
Another way to avoid default protection is to use e-mail or downloaded RTF files. According to our tests, MoTW does not apply to RTF files saved from email attachments, but can be used as a carrier. I don't know if RTF files will be the first choice for this abuse.
Abstract: abstract.
The details described above are important things you must read. If you just want to know how to deal with this loophole, please read the mitigation measures below.
Mitigation measures.
As of September 14, 2021, please apply the patch provided in Windows Update. At present, it is the best solution.
Enable the registry solution and disable ActiveX. The details are listed in Microsoft bulletin, and you can effectively disable abuse until the formal patch is applied.
Make sure that the Preview pane in Explorer (Windows Explorer/File Explorer) is disabled (invalid by default). It only protects you from attacks using the explorer preview pane. If you open a file outside protected mode (such as a RTF file) or explicitly disable protected mode, it will be abused.
Reference standard
McAfee Enterprise supports situations where patching cannot be performed or there is no production environment patching cycle. The KB we provide covers the entire protection and detection technology stack for endpoints (ENS Expert Rules), network (NSP), and EDR.
https://kc.mcafee.com/corporate/index?page=content&id=KB94876
[1] 7zip, files from disk images or other container formats, FAT formatted volumes, etc.The content of this page is the following McAfee Enterprise Blog content updated on September 17, 2021 (US time). Original text: The Bug Report | September 2021:CVE-2021-40444 author: Kevin McGrath,Eoin Carroll,Steve Povolny
Related websites.
![Advantages of "Gravio" that can implement face / person recognition AI with no code [Archive distribution now]](https://website-google-hk.oss-cn-hongkong.aliyuncs.com/drawing/article_results_6/2022/2/25/98ceaf1a66144152b81298720929e8e7.jpeg)