Updated Sept. 14, 2021, with fix for this flaw as part of September Patch Tuesday updates.
Earlier this week, Microsoft warned of a new zero-day exploit that lets attackers use booby-trapped Office 365 files to hijack any and all Windows PCs.
The Microsoft security advisory for this flaw, catalogued as CVE-2021-40444, said users should heed the Protected View warnings that Word, Excel or PowerPoint display when opening a file downloaded from the internet, and to not click the "Enable Editing" button on such files.
- Zelle scammers bilk bank customers out of thousands — how to avoid them
- The best Windows 10 antivirus software
- Plus: The Framework Laptop is the future — and that’s why I’m buying one
But the problem is actually much worse than that and harder to defend against. Office isn't even necessary for this exploit to work. Just previewing a booby-trapped Rich Text Format (RTF) in File Explorer is enough to trigger the exploit, as CERT/CC vulnerability analyst Will Dormann demonstrated on Twitter yesterday (Sept. 9).
Inspired by @buffaloverflow, I tested out the RTF attack vector. And it works quite nicely.WHERE IS YOUR PROTECTED MODE NOW? pic.twitter.com/qf021VYO2RSeptember 9, 2021
The actual attack mechanism for this exploit hasn't been publicly revealed, but several security researchers have replicated the exploit, which is also being actively used in attacks on what seem to be mainly U.S. targets.
Microsoft may patch this flaw with next Tuesday's round of monthly updates, but we won't know for sure until then. Windows 7, 8.1, 10 and 11 are equally vulnerable, as are all versions of Microsoft Office.
For the moment, home Windows users can minimize their exposure to this attack by disabling the outmoded Microsoft programming framework ActiveX in Office (we'll show you how below) and by running one of the best antivirus programs.
Taking those steps will protect Office and will stop known malicious files, but attackers could easily create new malicious files or use non-Office files. You'll just be playing whack-a-mole until Microsoft patches this.
The only sure-fire way to protect yourself from these attacks, at least until Sept. 14, is to completely disable ActiveX in the Windows Registry, the "master document" that governs each Windows system. That's a risky move unless you truly know what you're doing, but we'll show you how to do that too.
How to disable ActiveX in Office 365/Microsoft Office
This will disable the ability to view web-based content in Word, Excel, PowerPoint or other Office applications.
- Open Word document, Excel spreadsheet or PowerPoint presentation.
- Click File in top left to reveal the left-hand navigation bar.
- Scroll all the way down and click Options.
- Click Trust Center in the left-hand navigation bar of the window that pops up.
- Click the Trust Center Settings button in the right-hand window.
- Select ActiveX Settings in the left-hand navigation bar.
- Select "Disable all controls without notification" in the right-hand window.
How to disable ActiveX in Windows entirely
Warning: This involves editing the Windows Registry, and one mistake could severely mess up your build of Windows.
As Microsoft itself says in the advisory warning of this exploit, "you may cause serious problems that may require you to reinstall your operating system." Tom's Guide can't take responsibility if that happens to you, so proceed at your own risk.
This will also disable your ability to view web-based content in Word, Excel, PowerPoint or other Office applications, will cripple Internet Explorer, and may also affect File Explorer and other programs that come built into Windows. It will not affect Microsoft Edge.
1. Make sure you're running Windows in a Administrator account.
2. Copy and paste all of the following text into a text file, exactly as written:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:000000033. Save the text file to your desktop with the ".reg" file extension. The name of the file doesn't matter — it's the extension that counts — but you could call it "flaw-fix.reg" as one example.
4. Locate the file on your desktop and double-click it.
5. Click "Yes" in the window that pops up warning you of all the bad things that could happen if you edit the Registry.
6. Reboot your PC.
What's going on here?
Back in the mid-1990s, Microsoft created a programming framework called ActiveX to compete with Java and JavaScript, two tools that were being widely used to create rich web content. It embedded ActiveX into MSHTML, the rendering engine that powered the Internet Explorer web browser.
Today, neither ActiveX nor Internet Explorer are being developed, but MSHTML is still the default website rendering engine for Office and many default Windows programs, and that includes Windows 11. Hence, Word, Excel, PowerPoint, File Explorer and other common Microsoft applications use MSHTML and ActiveX.
Just think of each of those programs as having a mini-Internet Explorer browser built in — whether or not IE is actually itself installed on the system.
"Word uses MSHTML in a way which has almost no security," wrote security expert Kevin Beaumont on Twitter this past Wednesday (Sept. 8). " It's a pretty rich attack surface."
JS and ActiveX is trusted, because Word uses MSHTML in a way which has almost no security. It's a pretty rich attack surface.September 8, 2021
In this case, the attackers — thought to be part of the BazarLoader malware campaign — are pumping out phishing emails with attached Word documents that may be of interest to the recipients. One prime example seems to come from a lawyer in Minneapolis threatening that you're about to be sued in small-claims court.
That example might look like an obvious phishing email to many people, but attackers could scan your social media postings to craft a document that might be better at fooling you. As Dormann pointed out, they could make it an RTF file instead of an Office one to avoid Protected View, or embed a Word doc in a Zip file or other compressed folder to also avoid Protected View.
Once the Office file or RTF file is opened, the web-based content in the file activates MSHTML, which then uses ActiveX to render the web content.
The attackers are creating customized, malicious ActiveX "controls," or programming modules, to hijack your PC, but Beaumont said on Twitter that he'd found a way to trigger the exploit without any new ActiveX controls.
Whatever the mechanism, the end result is that the malware using the exploit gains the same privileges on the system as the current user. If you're running Windows as a limited user without the ability to install, update or delete applications or change system settings, then the damage will be limited. But if you're running Windows as an administrator, then the malware can truly take over your system.
The ultimate goal, at least in the current malware campaign, is to install the CobaltStrike backdoor on a system to create a permanent, hidden method of remote control.
Update: Microsoft patches this flaw with system update
Microsoft on Tuesday, Sept. 14 patched this flaw in its scheduled round of Patch Tuesday updates. Patches are available for Windows 7 (in extended support) through Windows 10 version 21H1.
