domingo, 14 agosto 2022
Visitas totales a la web: 87788311

El portal de los profesionales de seguridad y emergencias

Nº 1 del mundo en español en seguridad global

Soluciones de seguridad global

How to mitigate the Microsoft Office zero-day attack

Susan Bradley

Follow this advice to block malicious Office files from doing harm to your network even if you’ve implemented Microsoft’s recommended actions.

Once again attackers have used Office files in targeted attacks against Microsoft users. This time they used the Windows Explorer preview pane to deliver malicious .doc, .docm, and .docx files. Researchers have found that malicious .rtf files can also be used in such attacks. For this exploit, an attacker crafts a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.

The attacker must convince a user to open the malicious document. So, your first line of defense is an educated user who doesn’t blindly open unexpected files. In addition, Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Your antivirus tools may already include detections for this exploit as well.

Microsoft has released CVE-2021-40444 to track this vulnerability. Even when it’s fixed, don’t let your guard down. Instead, I recommend you keep one key protection that probably many of us are not doing to protect ourselves from malicious Office files including those used in this most current exploit.

Microsoft Defender Attack Surface Reduction rules

A vulnerability analyst at the CERT/CC, Will Dorman, pointed out that using Microsoft Defender’s Attack Surface Reduction (ASR) rules is a better long-term way to protect against such attacks. You can do this in multiple ways.

You can use Group Policy to configure ASR rules. This setting has been available since version 1709 of Windows 10. The exploit starts with an ActiveX CAB to place a DLL at a known location on the targeted system. A .CPL URI is then used to run that code. Microsoft’s mitigation focuses on blocking the ActiveX file so it can’t be called into action. Using ASR rules protects you not only for the current exploit but for future similar exploits.

To enable this setting, select in order:

  1. “Computer Configuration”
  2. “Administrative Templates”
  3. “Windows Components”
  4. “Microsoft Defender Antivirus”
  5. “Microsoft Defender Exploit Guard”
  6. “Attack Surface Reduction”
  7. «Configure Attack Surface Reduction rules» and make sure the value is set to «Enabled”

In earlier versions “Microsoft Defender antivirus” was called “Windows Defender antivirus.” so your group policy may need refreshing to track the new name even though the old name will still work.

bradley officezero1

Select “Show…” and verify the rule ID in the “Value name” column and the desired state in the “Value” column is set as follows:

Value name: D4F940AB-401B-4EFC-AADC-AD5F3C50688A

Value: 1

bradley officezero2

ASR functions are available in Windows 10 Pro v1709 or later, Windows 10 Enterprise v1709 or later, Windows Server v1803 (Semi-Annual Channel) or later, and Windows Server 2019 or later. All ASR protections are available in Windows 10 Professional, but more reporting and monitoring functions are available in Enterprise SKUs.

If you prefer a more targeted protection and follow just the Microsoft-specific guidance, you can do so by disabling the installation of all ActiveX controls in Internet Explorer. You can do this for all sites by configuring a group policy using your local Group Policy editor or by updating the registry. In Group Policy, navigate in this order to:

  1. “Computer Configuration”
  2. “Administrative Templates”
  3. “Windows Components”
  4. “Internet Explorer”
  5. “Internet Control Panel”
  6. “Security Page”

Select each zone (Internet Zone, Intranet Zone, Local Machine Zone, or Trusted Sites Zone) and double-click on “Download signed ActiveX controls and Enable the policy”. Then set the option in the policy to “Disable”. Double-click on “Download unsigned ActiveX controls and Enable the policy”. Then set the option in the policy to “Disable”.

Microsoft recommends setting this for Internet Zone, Intranet Zone, Local Machine Zone, and Trusted Sites Zone. If you rely on ActiveX for any internal functions, this will allow previously installed and deployed ActiveX controls to still function but will block any new ActiveX controls from being installed and used in your systems. In my testing, I have not seen any side effects with disabling ActiveX in this manner. Alternatively, you can use registry keys to disable these ActiveX controls.

Disable Windows Explorer preview pane

It’s recommended to also disable shell preview in Windows Explorer. I do not enable preview pane in Windows Explorer unless I have a specific need or task in mind. It slows my computer down if it’s enabled.

To disable both the ActiveX and the Windows Explorer view of .doc, .docm, .docx and .rtf files, use the following registry key (also downloadable from this link):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003

[-HKEY_CLASSES_ROOT\.docx\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]

[-HKEY_CLASSES_ROOT\.doc\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]

[-HKEY_CLASSES_ROOT\.docm\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]

[-HKEY_CLASSES_ROOT\.rtf\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]

The use of “-“ in front of these registry keys indicate that the registry file will remove these entries from your systems. If you wish to undo these settings, you can use this registry script to reenable.

Once Microsoft has patched for this issue, you may wonder if you are impacted by disabling the preview pane function. Many already either don’t enable the preview pane in Outlook or automatically block Word files from being previewed until you click on the enable content feature. Especially in an organization where you know you are targeted, you may wish to leave these protection settings in place even after any Microsoft patch is deployed.  

Bottom line: Analyze your risk posture. Are you likely to be targeted? Do your users use preview pane in Windows Explorer? Do you have users who are a bit click happy? Do you have users that run with administrative rights? If the answer to all these risk questions is yes, then it’s wiser to use ASR rules and keep them in place even after this zero-day vulnerability is patched.

Fecha de publicaciónseptiembre 22, 2021

BELT.ES no se hace responsable de las opiniones de los artículos reproducidos en nuestra Revista de Prensa, ni hace necesariamente suyas las opiniones y criterios expresados. La difusión de la información reproducida se realiza sin fines comerciales. 

Listado de Expertos

Recomendado

Profesión militar: Obediencia debida frente a la obligación de disentir

Con ocasión de la realización de estudios en el Instituto Universitario Gutiérrez Mellado tuve la ocasión de leer y analizar una serie de documentos de opinión que trataban en profundidad las diferentes facetas presentes en el campo de las relaciones cívico-militares; temas que , habitualmente, no han estado presentes en los diferentes cursos y actividades formativas en la enseñanza militar, ni, por supuesto, en la civil.

El amor de Macarena Olona por la Guardia Civil empieza por su pareja, un joven oficial condecorado

El padre de su hijo llegó a la Benemérita como militar de carrera y, los que le...

La artillería ‘made in USA’ comprada por Marruecos que deja fuera de juego a España

El país magrebí sigue reforzando sus fuerzas armadas a golpe de talonario, y no lo hace de...

Últimas noticias

El soldado español: Una visión de España a través de sus combatientes

El soldado español forma parte inseparable del pasado y el presente de España. Es una memoria marcada...

Doxing: tus datos personales expuestos.

Doxing: amenazas en la red con la publicación de datos confidenciales de políticos y famosos. Como ya previnimos, los...

Microsoft revive el miedo a otro gran ‘hackeo’ ruso: las claves de la ciberguerra contra EEUU

Según la compañía de Nadella, en apenas tres meses, 600 empresas han recibido cerca de 23.000 ataques de grupos organizados. El objetivo,...

“Pilotar un Eurofighter no lo hace cualquiera, da igual que seas hombre o mujer”

A sus 25 años, la teniente Elena Gutiérrez se ha convertido en la primera militar a los mandos del caza más moderno...

La exigencia de ser alumno en la Academia de Artillería

El Colegio de Artillería del Alcázar fue designado como tal centro formativo el 29 de enero de 1762. Desde esa fecha siempre...