The Bug Report | September 2021: CVE-2021-40444



Why am I right here?

There’s plenty of data on the market on crucial vulnerabilities; this quick bug report accommodates an outline of what we imagine to be probably the most information and noteworthy vulnerabilities. We don’t depend on a single scoring system like CVSS to find out what you might want to learn about; that is all about qualitative and experience-based evaluation, counting on over 100 years of mixed trade expertise inside our crew. We take a look at traits akin to wormability, ubiquity of the goal, chance of exploitation and influence. Immediately, we’ll be specializing in CVE-2021-40444.

CrossView: CVE-2021-40444

What’s it?

CVE-2021-40444 is a vulnerability in Workplace purposes which use protected view akin to Phrase, PowerPoint and Excel which permits an attacker to attain distant code execution (RCE). CVE-2021-40444 is a vulnerability which permits a rigorously crafted ActiveX management and a malicious MS Cupboard (.cab) file to be launched from an Workplace doc

Most significantly, this vulnerability impacts the purposes themselves, in addition to the Home windows Explorer preview pane.

Who cares?

This can be a nice query! Just about anybody who makes use of any Microsoft Workplace purposes, or has them put in, ought to be involved.

Workplace is likely one of the most widely-used purposes on the planet. Odds are good you will have it open proper now. Whereas many firms have disabled macros inside Workplace paperwork on the Group Coverage stage, it’s unlikely ActiveX is handled equally. Which means with out correct knowledge hygiene, a big proportion of Workplace customers will likely be susceptible to this exploit.

Fortuitously, “spray and pray” type e mail campaigns are unlikely to realize traction with this exploit, as mail suppliers have began flagging malicious recordsdata (or a minimum of recognized PoCs) as potential malware and eradicating them as attachments.

What can I do?

Excellent news! You aren’t essentially utterly helpless. By default, Home windows makes use of a flag referred to as the “Mark of the Net” (MoTW) to allow Protected Mode in Workplace. E mail attachments, internet downloads, and comparable all have this MoTW flag set, and Protected Mode prevents community operations, ActiveX controls, and macros embedded inside a doc from being executed, which successfully disables exploitation makes an attempt for this vulnerability.

That mentioned, customers have develop into so inured to the Protected View message, they typically dismiss it with out contemplating the results. Very similar to “affirmation fatigue” can result in putting in malicious software program, attackers can leverage this frequent human response to compromise the goal machine.

Much more so, whereas exploitation can happen through the Workplace purposes themselves and through the Explorer preview pane, the Outlook preview pane operates in a totally completely different method which doesn’t set off the exploit. Precisely why this distinction exists solely MS can clarify, however the upshot is that Outlook customers need to explicitly open malicious recordsdata to be exploited – the extra hoops customers have to leap via to open a malicious, the much less probably they’re to be pwned.

If I’m protected by default, why does this matter?

It relies upon solely on how the file will get delivered and the place the person saves it.

There are numerous methods of getting recordsdata past e mail and internet downloads – flash playing cards for cameras, thumb drives, exterior onerous drives, and so forth. Recordsdata opened from these sources (and plenty of frequent purposes[1]) don’t have MoTW flag set, that means that attackers might bypass the safety solely by sending a malicious file in a .7z archive, or as a part of a disk picture, or dropping a USB flash drive in your driveway. Convincing customers to open such recordsdata is not any more durable than another social engineering technique, in spite of everything.

One other enjoyable workaround for bypassing default protections is to utilize an RTF file – emailed, downloaded, or in any other case. From our testing, an RTF file saved from an e mail attachment doesn’t bear the MoTW however can nonetheless be used as a vector of exploitation. Whether or not RTF recordsdata develop into the popular possibility for this exploit stays to be seen.


Ha! We put the tl;dr close to the tip, which solely is sensible when the knowledge above is so essential it’s value studying. But when all you care about is what you may actively do to make sure you’re not susceptible, this part is for you.


  • Apply the Patch! Accessible through Home windows Replace as of 9/14/2021, that is your finest answer.
  • Allow registry workaround to disable ActiveX – particulars might be discovered on Microsoft’s bulletin web page and may successfully disable exploitation makes an attempt till a proper patch might be utilized.
  • Verify that Home windows Explorer “Preview” pane is disabled (that is true by default). This solely protects in opposition to the Preview pane exploitation in Explorer. Opening the file outdoors of Protected Mode (akin to an RTF file) or explicitly disabling Protected Mode will nonetheless permit for exploitation.

The Gold Normal

In case you merely can’t apply the patch or have a “manufacturing patch cycle” or no matter, McAfee Enterprise has you coated. Per our KB we offer complete protection for this assault throughout our safety and detection know-how stack of endpoint (ENS Knowledgeable Guidelines), community (NSP) and EDR. page=content material&id=KB94876

[1] 7zip, recordsdata from disk photographs or different container codecs, FAT formatted volumes, and so forth.