Microsoft Investigates Reports of Remote Code Execution Vulnerability in MSHTML

by Daniel Ruiz
Senior Solutions Architect

Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows.

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document.

Vulnerability:

CVE-2021-40444 affects Windows Server 2008 through 2019 and Windows 8.1 through 10, with a severity level of 8.8 out of the maximum 10.

Microsoft is aware of targeted attacks that try to exploit the vulnerability by sending specially-crafted Microsoft Office documents to potential victims, the company says in an advisory today.

Impacted Products:

  • Windows 8.1
  • Windows Server 2016
  • Windows 10
  • Windows Server 2019
  • Windows Server 2022

Workaround:

A Windows registry update ensures that ActiveX is rendered inactive for all sites, while already available ActiveX controls will keep functioning.

Disabling the installation of all ActiveX controls in Internet Explorer mitigates this attack. This can be accomplished for all sites by updating the registry. Previously installed ActiveX controls will continue to run, but do not expose this vulnerability.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To disable ActiveX controls on an individual system:

  • To disable installing ActiveX controls in Internet Explorer in all zones, paste the following into a text file and save it with the .reg file extension:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
“1001”=dword:00000003
“1004”=dword:00000003

  • Double-click the .reg file to apply it to your Policy hive.
  • Reboot the system to ensure the new configuration is applied.

Impact of Workaround:

This sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) for all internet zones for 64-bit and 32-bit processes.

New ActiveX controls will not be installed. Previously installed ActiveX controls will continue to run. 

How to Undo the Workaround:

Delete the registry keys that were added in implementing this workaround, and reboot the system.

If you would like more information or assistance from our industry leading experts to plan and execute the workaround, please contact us at service@helient.com.