Threat actors are sharing Windows MSHTML zero-day (CVE-2021-40444) tutorials and exploits on hacking forums, allowing other hackers to start exploiting the new vulnerability in their own attacks.

Last Tuesday, Microsoft disclosed a new zero-day vulnerability in Windows MSHTML that allows threat actors to create malicious documents, including Office and RTF docs, to execute commands on a victim’s computer remotely.

Even though there are no security updates available for the CVE-2021-40444 vulnerability, as it was discovered used in active attacks by EXPMON and Mandiant, Microsoft decided to disclose the vulnerability and provide mitigations to help prevent its exploitation.

These mitigations work by blocking ActiveX controls and Word/RTF document previews in Windows Explorer.

However, researchers have been able to modify the exploit not to use ActiveX, effectively bypassing Microsoft’s mitigations.

Guides and PoCs shared on hacking forums

When Microsoft first disclosed the Windows MSHTML zero-day, tracked as CVE-2021-40444, security researchers quickly found the malicious documents used in attacks.

While they soon reproduced the exploits, modified them for further capabilities, and discovered a new document preview vector, the researchers did not disclose details for fear other threat actors would abuse it.

Unfortunately, threat actors have been able to reproduce the exploit on their own from information, and malicious document samples posted online and have begun sharing detailed guides and information on hacking forums.

Starting on Thursday, threat actors began sharing public information about the HTML component of the exploit and how to create the malicious document. On Friday, more instructions were posted on generating the payload and a CAB file that included the path traversal vulnerability component.

Forum post on how to make the malicious payload
Forum post on how to make the malicious payload

On Saturday, as researchers began releasing more details on Github and Twitter, the threat actors shared further details on how to generate all aspects of the exploit.

More detailed instructions released
More detailed instructions released

The information is simple to follow and allows anyone to create their own working version of the CVE-2021-40444 exploit, including a python server to distribute the malicious documents and CAB files.

Using this information, BleepingComputer could reproduce the exploit in about 15 minutes, as demonstrated in the video below.

Defending against the CVE-2021-40444 MSHTML vulnerability 

The good news is that since the vulnerability was disclosed, Microsoft Defender and other security programs can detect and block malicious documents and CAB files used in this attack.

For example, you can see below Microsoft Defender blocking the exploit as ‘Trojan:Win32/CplLoader.a’ and ‘TrojanDownloader:HTML/Donoff.SA’ detections.

Microsoft Defender blocking CVE-2021-40444 exploits
Microsoft Defender blocking CVE-2021-40444 exploits

Microsoft has also provided the following mitigations to block ActiveX controls in Internet Explorer, the default handler for the MSHTML protocol, and block document preview in Windows Explorer.

Disable ActiveX controls in Internet Explorer

To disable ActiveX controls, please follow these steps:

  1. Open Notepad and paste the following text into a text file. Then save the file as disable-activex.reg. Make sure you have the displaying of file extensions enabled to properly create the Registry file.

    Alternatively, you can download the registry file from here.

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones]
    "1001"=dword:00000003
    "1004"=dword:00000003
    
    [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones1]
    "1001"=dword:00000003
    "1004"=dword:00000003
    
    [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones2]
    "1001"=dword:00000003
    "1004"=dword:00000003
    
    [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones3]
    "1001"=dword:00000003
    "1004"=dword:00000003
  2. Find the newly created disable-activex.reg and double-click on it. When a UAC prompt is displayed, click on the Yes button to import the Registry entries.
  3. Reboot your computer to apply the new configuration.

Once you reboot your computer, ActiveX controls will be disabled in Internet Explorer.

You can enable ActiveX controls again by deleting the above Registry keys or using this Registry file.

Disable document preview in Windows Explorer

Security researchers have also found that this vulnerability can be exploited by viewing a malicious document using the Windows Explorer preview feature.

Since this was discovered, Microsoft has added the following mitigation to disable previewing of RTF and Word documents:

  1. In the Registry Editor (regedit.exe), navigate to the appropriate registry key:

    For Word documents, navigate to these keys:

    • HKEY_CLASSES_ROOT.docxShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
    • HKEY_CLASSES_ROOT.docShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
    • HKEY_CLASSES_ROOT.docmShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}

    For rich text files (RTF), navigate to this key:

    • HKEY_CLASSES_ROOT.rtfShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}
  2. Export a copy of the Registry key as a backup.
  3. Now double-click Name and in the Edit String dialog box, delete the Value Data.
  4. Click OK,

Word document and RTF file previews are now disabled in Windows Explorer.

To enable Windows Explorer preview for these documents, double-click on the backup .reg file you created in step 2 above.

While these mitigations will help, as the exploit has been modified not to use ActiveX controls, users are still at risk until an official security update is released.

Until Microsoft releases a security update, everyone should treat all Word and RTF attachments suspiciously and their source manually verified before opening them.

Update 9/12/21: Added time progression for release of exploits.