Patch me if you can: Microsoft cannot close critical security hole
by Tina Siering
The MS Office vulnerability CVE-2021-40444
MS Office exploit CVE-2021-40444 is a vulnerability in MSHTML that allows malicious code to be executed on another computer. The code gets to the target computers via manipulated Office documents, for example via email or a download.
The vulnerability itself is not present directly in Microsoft Office, but in a component that was originally part of Internet Explorer. Office still uses the browser's engine internally for certain functions. In this case, it is about the execution of Active-X controls, as they also occur in web pages. Such Active-X controls are used in the form of macros in the Office environment.
Criminals and hackers like to use Active-X controls to inject malicious code. This malicious code then specifically exploits the vulnerability known to the hacker. In this case, the code allows malware to be reloaded onto the system where the Office document was opened. In this way, the attack via MS Office exploit CVE-2021-40444 initiates further cyberattacks, for example, data theft or extortion with data encryption via ransomware.
In the case of the MS Office exploit CVE-2021-40444 in question here, criminals sent manipulated Office documents primarily via mail. In many cases, the attackers took a very targeted approach and, for example, used mail addresses known to the recipient as the sender. This usually increases the chance that the recipient will trust the message and open the attachment. Simply opening a manipulated document is sufficient, provided that the automatic execution of Active-X controls in Microsoft Office is not deactivated.
How Microsoft tried to close the vulnerability
The exploit CVE-2021-40444 was a zero-day vulnerability. This means that attackers were already actively exploiting the gap before an MS Office patch was available. For this reason and because the vulnerability has enormous damage potential, CVE-2021-40444 was classified as critical by Microsoft.
With the patch of September 14, 2021, Microsoft attempted to close the vulnerability. In doing so, the US software giant analyzed the attack path and blocked the execution of a Microsoft Cabinet (.CAB) file that was part of the specific attack vector. On the other hand, the affected module with the actual vulnerability, the browser component for MSHTML, remained untouched and thus still active.
In the first moment, this MS Office patch stopped the attack path, because the function of reloading via the Microsoft Cabinet file was no longer possible.
Hackers overcome the MS Office patch for vulnerability CVE-2021-40444
The first signs that hackers had responded to Microsoft's fix were seen as early as October 2021. In the process, the criminals have quite obviously discovered that the MS Office vulnerability can be exploited differently as well.
In doing so, the attackers bypass the now blocked attack vector via the Microsoft Cabinet file. Instead, the hackers resort to a data compression program and use a roundabout way to get the malicious code onto the system.
In this case, the selected victim also receives an email with a manipulated attachment. This time, however, it is not a Word document, but a RAR directory. RAR is a compression method. Stand-alone programs such as WinRAR use this technique to create compressed files with their own .RAR file extension. In such an archive, single or even multiple files are then compressed to save space, which makes it easier to send them. The software also allows the creation of self-extracting archives. To open and unpack these archives, it is not necessary to have the actual software installed.
The manipulated .RAR archives belong precisely to the class of these self-extracting files. So, the user opens the .RAR file on his computer to get to the content. However, this archive itself is manipulated. A script is integrated into the header of the archive. The software automatically executes this script when it is executed. The script opens Microsoft Office and the attached document. The already known Active-X control is still included here. However, instead of taking the direct route via Microsoft Office, the script initiates the download of the malware from the archive via the RAR archive. From here, the script opens the operating system's PowerShell and executes the malware that has just been downloaded. The attack is successfully completed and the system is compromised, despite MS Office patch for the CVE-2021-40444 vulnerability.
What do security experts say about the new attack vector related to the MS Office vulnerability CVE-2021-40444?
After analyzing the change in attack behavior, IT security experts conclude that Microsoft bears partial responsibility. The MS Office patch from September for the CVE-2021-40444 vulnerability had too narrow a focus on the specific attack pattern. Accordingly, while the patch prevented a specific way to exploit the vulnerability in Microsoft Office, it did not address the actual exploit. Thus, it is a workaround that will be outwitted by the hackers sooner or later. The cybercriminals obviously managed to do this quite quickly.
These measures offer protection against the current MS Office vulnerability
The actual vulnerability in these attacks is the manipulated Active-X control in the Office document. The attackers need the active assistance of the victims in two places. Without this assistance, the manipulated messages pose no threat.
For this reason, it is important for users to be aware of the vulnerabilities and to take preventive action accordingly. For companies, this means that raising employee awareness is essential. The first point concerns downloading and opening e-mail attachments. Employees may only open these if the sender is absolutely trustworthy and the source of the document is known. The second point involves the company's own IT and network settings. For example, it is important to disable the execution of Active-X controls in Microsoft Office by default. If this feature is disabled, the tampered document will not be able to start the malware download, because this command is hidden in the Active-X control.
Another option is to refrain from using Microsoft Office. The vulnerability is explicitly linked to a component that is only present in Microsoft's software. Alternative office suites, such as Open Office or LibreOffice, do not have the vulnerability. Thus, the manipulated Office documents can also be opened in these programs without any danger from the manipulated Active-X controls. On the other hand, for those who rely on the use of Microsoft Office, this workaround is not a solution.
Unfortunately, the human risk factor can never be completely eliminated. It happens again and again that a user opens a mail attachment again with better knowledge or allows the execution of Active-X controls when Microsoft Office asks for it when executing a manipulated file. Then systems and networks are again at risk. Companies in particular therefore have a duty to take steps to implement proactive threat scanning. This is implemented using software solutions that monitor network activity in real time. In this case, proactive threat hunting starts at the point where the Active-X control initiates the malware download. Security software that monitors activity on the network detects such a download as a potentially malicious action. IT then receives a warning and there is an opportunity to take timely action. This allows a cyberattack to be contained early, before the hackers spread across the network. This defense technique works not only in the case of the Office vulnerability CVE-2021-40444, but also for all other covert attacks within the company's own network.
Conclusion on the MS Office vulnerability CVE-2021-40444
The development around the exploit CVE-2021-40444 in Microsoft Office is representative for many current challenges in IT security. This is directly evident on several levels. First, there is the danger posed by security vulnerabilities that threaten from a wide variety of directions. Modern software is extremely complex, as the example of Office shows, because components of other programs are integrated, which in turn then exhibit the actual vulnerability. In addition, the modern IT infrastructure is built on an enormous number of software platforms, which significantly increases the potential for danger.
A second point is the challenge for companies to secure their networks against all potential threats. Even with a perfect patch strategy, cyber dangers cannot be completely ruled out, as zero-day exploits pose a threat at all times for which there is no traditional protection. Finally, the human factor is again an issue. Even if the security vulnerabilities as well as the attack vectors are known down to the last detail and the company's own employees are sensitized, successful attacks along this path can never be completely ruled out.
All of these points show that the conventional approach to IT security has a major gap. This is the active search for threats as well as early attack detection. This tactic of cyber defense looks for patterns that indicate illegal activity on the network. In this way, the search for hackers' actions is not focused on a specific malware, but much more on connections, data transfers and logins, everyday actions in a network. Such early attack detection systems fill in the gaps that antivirus software, firewalls and security policies do not cover.
secion's Active Cyber Defense Service (ACD) is such a service solution. secion provides this service via the network. Local installation or changes to the systems are therefore not necessary. secion's ACD service monitors all systems within a network, from databases to services for authentication to IoT devices at the edge of the network, and reports identified anomalies. If necessary, the secion analyst team immediately informs the responsible persons in IT Security of the company concerned. In this way, detection of attacks is possible almost in real time, before any damage is done - and without the need for enormous investments in the company's own IT department.