miércoles, 1 diciembre 2021
Visitas totales a la web: 87059247

El portal de los profesionales de seguridad y emergencias

Nº 1 del mundo en español en seguridad global

Soluciones de seguridad global

How to mitigate the Microsoft Office zero-day attack

Susan Bradley

Follow this advice to block malicious Office files from doing harm to your network even if you’ve implemented Microsoft’s recommended actions.

Once again attackers have used Office files in targeted attacks against Microsoft users. This time they used the Windows Explorer preview pane to deliver malicious .doc, .docm, and .docx files. Researchers have found that malicious .rtf files can also be used in such attacks. For this exploit, an attacker crafts a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.

The attacker must convince a user to open the malicious document. So, your first line of defense is an educated user who doesn’t blindly open unexpected files. In addition, Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Your antivirus tools may already include detections for this exploit as well.

Microsoft has released CVE-2021-40444 to track this vulnerability. Even when it’s fixed, don’t let your guard down. Instead, I recommend you keep one key protection that probably many of us are not doing to protect ourselves from malicious Office files including those used in this most current exploit.

Microsoft Defender Attack Surface Reduction rules

A vulnerability analyst at the CERT/CC, Will Dorman, pointed out that using Microsoft Defender’s Attack Surface Reduction (ASR) rules is a better long-term way to protect against such attacks. You can do this in multiple ways.

You can use Group Policy to configure ASR rules. This setting has been available since version 1709 of Windows 10. The exploit starts with an ActiveX CAB to place a DLL at a known location on the targeted system. A .CPL URI is then used to run that code. Microsoft’s mitigation focuses on blocking the ActiveX file so it can’t be called into action. Using ASR rules protects you not only for the current exploit but for future similar exploits.

To enable this setting, select in order:

  1. “Computer Configuration”
  2. “Administrative Templates”
  3. “Windows Components”
  4. “Microsoft Defender Antivirus”
  5. “Microsoft Defender Exploit Guard”
  6. “Attack Surface Reduction”
  7. «Configure Attack Surface Reduction rules» and make sure the value is set to «Enabled”

In earlier versions “Microsoft Defender antivirus” was called “Windows Defender antivirus.” so your group policy may need refreshing to track the new name even though the old name will still work.

bradley officezero1

Select “Show…” and verify the rule ID in the “Value name” column and the desired state in the “Value” column is set as follows:

Value name: D4F940AB-401B-4EFC-AADC-AD5F3C50688A

Value: 1

bradley officezero2

ASR functions are available in Windows 10 Pro v1709 or later, Windows 10 Enterprise v1709 or later, Windows Server v1803 (Semi-Annual Channel) or later, and Windows Server 2019 or later. All ASR protections are available in Windows 10 Professional, but more reporting and monitoring functions are available in Enterprise SKUs.

If you prefer a more targeted protection and follow just the Microsoft-specific guidance, you can do so by disabling the installation of all ActiveX controls in Internet Explorer. You can do this for all sites by configuring a group policy using your local Group Policy editor or by updating the registry. In Group Policy, navigate in this order to:

  1. “Computer Configuration”
  2. “Administrative Templates”
  3. “Windows Components”
  4. “Internet Explorer”
  5. “Internet Control Panel”
  6. “Security Page”

Select each zone (Internet Zone, Intranet Zone, Local Machine Zone, or Trusted Sites Zone) and double-click on “Download signed ActiveX controls and Enable the policy”. Then set the option in the policy to “Disable”. Double-click on “Download unsigned ActiveX controls and Enable the policy”. Then set the option in the policy to “Disable”.

Microsoft recommends setting this for Internet Zone, Intranet Zone, Local Machine Zone, and Trusted Sites Zone. If you rely on ActiveX for any internal functions, this will allow previously installed and deployed ActiveX controls to still function but will block any new ActiveX controls from being installed and used in your systems. In my testing, I have not seen any side effects with disabling ActiveX in this manner. Alternatively, you can use registry keys to disable these ActiveX controls.

Disable Windows Explorer preview pane

It’s recommended to also disable shell preview in Windows Explorer. I do not enable preview pane in Windows Explorer unless I have a specific need or task in mind. It slows my computer down if it’s enabled.

To disable both the ActiveX and the Windows Explorer view of .doc, .docm, .docx and .rtf files, use the following registry key (also downloadable from this link):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003

[-HKEY_CLASSES_ROOT\.docx\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]

[-HKEY_CLASSES_ROOT\.doc\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]

[-HKEY_CLASSES_ROOT\.docm\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]

[-HKEY_CLASSES_ROOT\.rtf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]

The use of “-“ in front of these registry keys indicate that the registry file will remove these entries from your systems. If you wish to undo these settings, you can use this registry script to reenable.

Once Microsoft has patched for this issue, you may wonder if you are impacted by disabling the preview pane function. Many already either don’t enable the preview pane in Outlook or automatically block Word files from being previewed until you click on the enable content feature. Especially in an organization where you know you are targeted, you may wish to leave these protection settings in place even after any Microsoft patch is deployed.  

Bottom line: Analyze your risk posture. Are you likely to be targeted? Do your users use preview pane in Windows Explorer? Do you have users who are a bit click happy? Do you have users that run with administrative rights? If the answer to all these risk questions is yes, then it’s wiser to use ASR rules and keep them in place even after this zero-day vulnerability is patched.

Fecha de publicaciónseptiembre 22, 2021

BELT.ES no se hace responsable de las opiniones de los artículos reproducidos en nuestra Revista de Prensa, ni hace necesariamente suyas las opiniones y criterios expresados. La difusión de la información reproducida se realiza sin fines comerciales. 

Listado de Expertos

Recomendado

Profesión militar: Obediencia debida frente a la obligación de disentir

Con ocasión de la realización de estudios en el Instituto Universitario Gutiérrez Mellado tuve la ocasión de leer y analizar una serie de documentos de opinión que trataban en profundidad las diferentes facetas presentes en el campo de las relaciones cívico-militares; temas que , habitualmente, no han estado presentes en los diferentes cursos y actividades formativas en la enseñanza militar, ni, por supuesto, en la civil.

El amor de Macarena Olona por la Guardia Civil empieza por su pareja, un joven oficial condecorado

El padre de su hijo llegó a la Benemérita como militar de carrera y, los que le...

El paracaidista español que humilló a los «temibles» espías soviéticos

Joaquín Madolell, natural de Melilla y militar del Ejército del Aire, desarticuló la mayor red del espionaje...

Últimas noticias

Guerra fría: Una guía fascinante de la guerra de Corea y la guerra de Vietnam

La Guerra de Corea: Una Guía Fascinante de la Historia de la Guerra de CoreaLa Guerra de...

Sí, las matemáticas resuelven problemas reales y estos son algunos ejemplos

La modelización matemática es útil en múltiples aplicaciones, entre ellas controlar un incendio. Uno de los objetivos que tenemos...

Así es el duro entrenamiento militar de Elisabeth de Bélgica, ¿para cuando el de Leonor?

A sus 19 años, la joven ha sido la primera heredera de su generación en someterse a una entrenamiento similar.

¿Qué es el Plan Interior Marítimo?

Conoce las características esenciales de los planes que deben tener empresas y autoridades portuarias frente a la contaminación medioambiental marina.

Manual de ciberinvestigación en fuentes abiertas: OSINT para analistas

OSINT y ciberinvestigación. Arriesgar con dos términos tan populares y sobreutilizados para los títulos de este libro no es casualidad. Pese a...