• Home
  • |
  • Blog
  • |
  • How To Fix The CVE-2021-40444 A New 0-Day MSHTML Remote Code Execution Vulnerability Targeting Windows Users?
How to Fix the CVE-2021-40444 | MSHTML Remote Code Execution Vulnerability

Microsoft disclosed a new 0-day vulnerability (CVE-2021-40444) which is being actively exploited in the wild. In the initial analysis, it said that the flaw could be used to hijack vulnerable Windows systems with weaponized Microsoft Office documents. It’s all our responsibility to be protected from 0-day MSHTML remote code execution vulnerability. Let’s see how to fix the CVE-2021-40444 MSHTML Remote Code Execution vulnerability on Windows machines.

Summary Of CVE-2021-40444 – Microsoft MSHTML Remote Code Execution Vulnerability:

CVSS SCORE: 8.8

This remote code execution vulnerability existing in the browser engine of the Internet Explorer named ‘MSHTML’, which is also used to render web content on Word, Excel, and PowerPoint documents. 

Microsoft says that “An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

You can see Microsoft’s Exploitability index for this vulnerability is being tracked here.

Microsoft didn’t disclose more information about attack vectors, targets, and the identity of the adversaries exploiting this 0-day MSHTML Remote Code Execution vulnerability.

How To Fix The CVE-2021-40444 – Microsoft MSHTML Remote Code Execution Vulnerability?

  1. Microsoft has released the fix in its September 2021 security updates. Installing the updates should be the first step to fix the CVE-2021-40444 MSHTML vulnerability.
  2. The best way to mitigate attacks targeting CVE-2021-40444 MSHTML vulnerability is, disable the installation of all ActiveX controls in Internet Explorer. You can disable ActiveX controls by updating these registries.  
  3. Microsoft’s native antimalware solutions ‘Microsoft Defender Antivirus’ and ‘Microsoft Defender for Endpoint’ are capable of detecting the vulnerability. Microsoft Defender for Endpoint recognizes the vulnerability as “Suspicious Cpl File Execution”.
  4. Block all Office applications from creating child processes by enabling attack surface reduction rule “BlockOfficeCreateProcessRule” on Microsoft Defender.
  5. Microsoft Office’s security features ‘Protected View‘ or ‘Application Guard‘ can prevent attacks targeted CVE-2021-40444 MSHTML Remote Code Execution vulnerability.
  6. This can also be mitigated by disabling ActiveX on the internet explorer.
  7. Turn on automatic updates on your personal computers. or install the latest security updates as soon as they become available.
  8. It’s always best practice to run the latest version of operating system with latest patch.
  9. It’s must to regularly update your anti-virus or endpoint security clients to cover rapidly evolving attacker tools and techniques. We recommand to have cloud based machine learning protection which identities and blocks the majority of new and unknown threats.
  10. It is important to ensure tamper protection is turnd-on on your endpoint client application.
  11. No additional action is required against the vulnerability for the users who always keep their Windows Environment up to date. 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003

Please read the post: “How to quickly find and fix vulnerabilities on Windows in no time?

How To Disable Installing ActiveX Controls In Internet Explorer In All Zones?

  1. Copy the registry information from the previous section to a text file and save the file with the .reg extension.
  2. Apply registry setting to your policy hive just by double-clicking on the file.
  3. Reboot the system to save the new configuration on the system.

How To Disable ActiveX Controls Via Group Policy?

  1. Navigate to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.
  2. Select the zone Internet Zone.
  3. Double-click Download signed ActiveX controls and Enable the policy. Then set the option in the policy to Disable.
  4. Double-click Download unsigned ActiveX controls and Enable the policy. Then set the option in the policy to Disable.
  5. Repeat the task with Intranet Zone, Local Machine Zone, or Trusted Sites Zone.

Note: These registry changes may cause serious problems. It may require you to reinstall your operating system. If you want to roll back the changes. Just delete all the four registry keys or set them to the original value before the changes were applied.

Thanks for reading this post. We believe it’s our responsibility to share the post which helps to secure the digital world. Please share this post with others and help to create awareness against cyber threats.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.