CVE-2021-40444, is a client side remote code execution vulnerability in MSHTML, reported on 7 Sep 2021 and later updated 14 Sep 2021. ActiveX is a core component of Windows which helps render web-based content.
This new Client Side attack sees recipients being exploited by the use of evil (booby trapped) Microsoft Office documents. In short, a typical timeline of infection might go something like this:
A users downloads or receives a booby trapped Microsoft Office file. Perhaps they are socially-engineered into clicking on a malicious link, or find the poisoned file in their inbox.
The user opens the Microsoft Office file to view its contents, but it contains an embedded malicious ActiveX control.
The ActiveX control exploits the bug in Windows MSHTML to gain the same level of control as the user, whereupon it installs malware of the hacker’s choice.
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights..” Microsoft Attack team
Researcher Haifei Li of EXPMON who reported their discovery of the vulnerability to Microsoft said that it was already being exploited “in-the-wild” and advised, in the absence of an official patch, that
fix rather than a full patch be created in the first instance to protect customers.
It has been advised that registry settings should be enforced that prevents new ActiveX controls from running . Previously installed ActiveX controls will continue to run, but do not expose this vulnerability.
What is Active X
ActiveX controls are Internet Explorer’s version of plug-ins. For example, Internet Explorer’s Flash player is an ActiveX control. Unfortunately, ActiveX controls have been a significant source of security problems in the past.
ActiveX controls are essentially pieces of software and have access to your entire computer if you opt to install and run them. If you’re using Internet Explorer, websites can prompt you to install ActiveX controls — and this feature can be used for malicious purposes.
An ActiveX control is a small program for Internet Explorer, often referred to as an add-on. ActiveX controls are like other programs — they aren’t restricted from doing bad things with your computer. They could monitor your personal browsing habits, install malware, generate pop-ups, log your keystrokes and passwords, and do other malicious things.
ActiveX controls are actually not Internet Explorer-only, they also work in other Microsoft applications, such as Microsoft Officer, other browsers, such as Firefox, Chrome and Safari all use other types of browser plug-ins.
Remediation
You can view the ActiveX controls you have installed by clicking the gear menu in Internet Explorer and selecting Manage Add-ons and Click the box under Show and select All add-ons.
There might be a variety of common ActiveX controls installed system-wide, such as Adobe’s Shock wave Flash, Microsoft Silverlight, and Windows Media Player.
You can disable these from here, but you’ll have to uninstall them from the Control Panel if you want to remove them from your system.
References
https://www.securityweek.com/north-korean-hackers-launch-new-activex-attacks