Описание
Microsoft MSHTML Remote Code Execution Vulnerability
Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.
An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Please see the Mitigations and Workaround sections for important information about steps you can take to protect your system from this vulnerability.
UPDATE September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. Please see the FAQ for important information about which updates are applicable to your system.
Меры по смягчению последствий
By default, Microsoft Office opens documents from the internet in Protected View or in Application Guard for Office, both of which prevent the current attack.
- For information about Protected View, see What is Protected View?.
- For information about Application Guard for Office, see Application Guard for Office.
Customers of Microsoft Defender for Endpoint can enable attack surface reduction rule "BlockOfficeCreateProcessRule" that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy. For more information see Use attack surface reduction rules to prevent malware infection.
Обходное решение
Disabling the installation of all ActiveX controls in Internet Explorer mitigates this attack. This can be accomplished for all sites by configuring the Group Policy using your Local Group Policy Editor or by updating the registry. Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability.
To disable ActiveX controls via Group Policy
In Group Policy settings, navigate to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
For each zone:
- Select the zone (Internet Zone, Intranet Zone, Local Machine Zone, or Trusted Sites Zone).
- Double-click Download signed ActiveX controls and Enable the policy. Then set the option in the policy to Disable.
- Double-click Download unsigned ActiveX controls and Enable the policy. Then set the option in the policy to Disable.
We recommend applying this setting to all zones to fully protect your system.
Impact of workaround.
This sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) for all internet zones for 64-bit and 32-bit processes. New ActiveX controls will not be installed. Previously-installed ActiveX controls will continue to run.
How to undo the workaround
Set the option in the policy to the original value before the workaround was applied.
To disable ActiveX controls on an individual system via regkey:
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
- To disable installing ActiveX controls in Internet Explorer in all zones, paste the following into a text file and save it with the .reg file extension:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] "1001"=dword:00000003 "1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] "1001"=dword:00000003 "1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] "1001"=dword:00000003 "1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] "1001"=dword:00000003 "1004"=dword:00000003
- Double-click the .reg file to apply it to your Policy hive.
- Reboot the system to ensure the new configuration is applied.
Impact of workaround.
This sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) for all internet zones for 64-bit and 32-bit processes. New ActiveX controls will not be installed. Previously-installed ActiveX controls will continue to run.
How to undo the workaround
Delete the registry keys that were added in implementing this workaround.
To disable preview in Windows Explorer
Disabling Shell Preview prevents a user from previewing documents in Windows Explorer. Follow these steps for each type of document you want to prevent being previewed:
- In Registry Editor, navigate to the appropriate registry key for the document type you want to prevent from being previewed. Note that if a registry key does not exist for a document type, it is already not possible to preview that document using Windows Explorer.
For Word documents:
- HKEY_CLASSES_ROOT\.docx\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}
- HKEY_CLASSES_ROOT\.doc\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}
- HKEY_CLASSES_ROOT\.docm\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}
For rich text files:
- HKEY_CLASSES_ROOT\.rtf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}
- Export a copy of the regkey for backup.
- Double-click Name and in the Edit String dialog box, delete the Value Data.
- Click OK,
Impact of workaround
Users will not be able to preview documents with the specified extension in Windows Explorer.
How to undo the workaround
Double-click the .reg file or files that you created in Step Two of the workaround.
FAQ
There are three updates listed in the Security Updates table for Windows 8.1, Windows Server 2012 R2, and Windows Server 2012. Which updates do I need to apply to my system to be protected from this vulnerability?
Customers running Windows 8.1, Windows Server 2012 R2, or Windows Server 2012 can apply either the Monthly Rollup or both the Security Only and the IE Cumulative updates.
I am running Windows 7, Windows Server 2008 R2, or Windows Server 2008. Do I need to apply both the Monthly Rollup and the IE Cumulative updates?
- The Monthly Rollup for Windows 7, Windows Server 2008 R2, and Windows Server 2008 includes the update for this vulnerability. Customers who apply the Monthly Rollup do not need to apply the IE Cumulative update.
- Customers who only apply Security Only updates need to also apply the IE Cumulative update to be protected from this vulnerability.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Windows Server 2008 for 32-bit Systems Service Pack 2 | ||
| Windows Server 2008 for x64-based Systems Service Pack 2 | ||
| Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | ||
| Windows 7 for 32-bit Systems Service Pack 1 | ||
| Windows 7 for x64-based Systems Service Pack 1 | ||
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | ||
| Windows Server 2008 R2 for x64-based Systems Service Pack 1 | ||
| Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | ||
| Windows Server 2012 | ||
| Windows Server 2012 (Server Core installation) |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
DOS
EPSS
8.8 High
CVSS3
Связанные уязвимости
<p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.</p> <p>An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p> <p>Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or n
Microsoft MSHTML Remote Code Execution Vulnerability
Уязвимость механизма MSHTML браузера Internet Explorer, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код
EPSS
8.8 High
CVSS3