Home / About / Threat Intelligence / Microsoft MSHTML Remote Code Execution Vulnerability

Overview

Microsoft is tracking targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.

Impact

If an attacker manages to convince a user to open a malicious document, they may be able to execute commands at the privilege level of the user.

Vulnerability Detection

Up-to-date Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.

Affected Products

Windows Server 2022
Windows Server 2019
Windows 10
Windows Server 2016
Windows 8.1
Windows Server 2012
Windows Server 2008

Containment, Mitigations & Remediations

The exploit runs with the privileges of the compromised user. Therefore users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Account separation and principle of least privilege are user account best practices which would help mitigate the impact of this exploit.

By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack. A level of user awareness not to enable active content, or disable protective mechanisms is advised.

Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protection for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments.

The following registry settings will disable all the installation of ActiveX controles in Internet Explorer. These can also be deployed via Group Policy Object (GPO), however alternatives may be required for other browsers:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
“1001”=dword:00000003
“1004”=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
“1001”=dword:00000003
“1004”=dword:00000003

Once applied a reboot of the system is advised.
This workaround may prevent additional, legitimate, ActiveX content from functioning correctly.

Indicators of Compromise

There are no known IoC’s at this time.

Threat Landscape

These are targeted attacks for which Proof of Concept (PoC) code is available. It is therefore likely that attacks will become less targeted as other groups and individuals try to leverage the exploit.

In order for the exploit to work the attacker(s) have to convince the user to open the file. These types of mechanisms are typically associated with phishing and spearphishing where the document is either directly attached or linked to a shared file on an internet hosted platform.

Further Information

Microsoft MSHTML Remote Code Execution Vulnerability