微软于 2021 年 9 月 7 日证实,Windows 10 中出现了一个远程代码执行(RCE)漏洞。该漏洞被归类为 CVE-2021-40444 [1],可使网络犯罪分子远程控制被入侵的系统,并在野外创建零日攻击。
该缺陷存在于 Internet Explorer 的浏览器渲染引擎 MSHTML 中。该引擎也用于 Microsoft Office 文档。据了解,CVE-2021-40444目前被用于发送Cobalt Strike有效载荷--一种常用的威胁仿真框架。
EXPMON 的一名研究人员在一条推文中首次发现了这一零日漏洞,他说:"Office 用户对 Office 文件要格外谨慎"。他们已于 9 月 5 日周日向微软报告了这一事件。此后不久,微软也发布了安全咨询,建议在公司调查期间采取变通方法。9 月 14 日,微软修复了该漏洞[2]。
攻击者如何利用 CVE-2021-40444
网络犯罪分子可能会在 Microsoft Office 文档(.docx)中制作恶意 ActiveX 控件。该文档充当 MSTHML 浏览器渲染引擎和 OLEObject 的主机,而 OLEObject 则指向构建的网页。
然后,攻击者必须欺骗目标打开该文件。打开后,MSTHML 引擎将利用 ActiveX 控件运行带有混淆脚本的 HTML 文件,然后下载恶意软件有效载荷或远程访问控件。
微软指出,与没有用户权限或用户权限较少的用户相比,拥有管理员权限的用户更容易受到此类攻击。
缓解和解决方法
微软建议,在 Internet Explorer 中禁用所有 ActiveX 控制安装可帮助减轻当前的攻击。这可以通过使用本地组策略编辑器更新注册表配置组策略来实现。禁用后,新的 ActiveX 控件将无法安装,而以前的 ActiveX 控件将继续运行。
How Deep CDR™ Technology Can Protect Against Zero-Day Attacks
Content Disarm and Reconstruction (CDR) can aid in mitigating the risks associated with this vulnerability. Deep CDR™ Technology assumes all files are malicious, then sanitizes and rebuilds the file components to ensure full usability with safe content. The technology can effectively ‘disarms’ all file-based threats, complex and sandbox-aware threats, and threats equipped with malware evasion technology such as fully undetectable malware or obfuscation.
In this case, the Deep CDR™ Technology removes all potential threat objects like the OLEObject and ActiveX from the document file. After sanitization, the document no longer contains the malicious HTML link.
MetaDefender Cloud检测到的威胁已被扫描,扫描结果支持清除操作:
消毒后,结果显示 OLEObject 已被删除,文件可以安全打开:
About Deep CDR™ Technology
Deep CDR™ Technology is a market leader with superior features like multi-level archive processing, the accuracy of file regeneration, and support for 100+ file types. Our technology provides in-depth views of what is being sanitized and how data are sanitized, allowing you to make informed choices and define configurations to meet your use cases. The result? Safe files with 100% of threats eliminated within milliseconds, so your workflow is not interrupted.
To learn more about Deep CDR™ Technology and how OPSWAT can protect your organization, talk to one of our critical infrastructure cybersecurity experts.
参考资料
[1] "Microsoft MSHTML 远程代码执行漏洞"。2021.微软安全响应中心。https://msrc.microsoft.com/upd...
[2] "Microsoft patches actively exploited MSHTML zero-day RCE (CVE-2021-40444)".2021 年 9 月 14 日。Help Net Security.https://www.helpnetsecurity.co...
