CVE-2021-40444 – Microsoft HTML Remote Code Execution Vulnerability
Remote code execution vulnerabilities are up there with some of the worst that a company can be susceptible to. This impact compounds when it is Microsoft’s Office365 suite that has a vulnerability, allowing threat agents to inject malicious code into software that over 1 million companies worldwide use (not even touching on personal use). The most recent CVE (Common Vulnerabilities and Exposures) of high impact was CVE-2021-40444 in September of 2021, scoring a rating of 8.8/10 criticality.
This CVE worked in a way that for those unaware would be very easy to act upon. The success of the vulnerability was it relied upon malicious code crafted inside of documents that were emailed through the Office365 suite, and if these documents were opened without the proper settings and safeguards for the account in place, the malicious code inside would be executed on the host device. As one can imagine, there are a nearly countless activities that can be performed via code that would render one’s business vulnerable and susceptible to further penetration.
An observation to be aware of is that this vulnerability was announced on September 7th, 2021 – with the patch Microsoft released being out on September 14th. This provided a 7-day period in which unknowing companies were vulnerable, and without proper configurations inside of their environment could have been targets from actors. While there were workarounds to the vulnerability, they were not a one-size-fits-all fit; the most popular fix involved disabling ActiveX controls, which many applications rely on. This does raise the point however, that disabling a group policy that applications rely on is not an ideal fix, as it does reduce approved functionality.
Takeaways from this are:
- The time in which production patches are released from Vendors will not be immediate,
- Configurations of environments to minimise the impacts of CVE’s until proper resolution is a case-by-case basis, and special care needs to be taken when policies are changed for each businesses environment.
CVE-2019-1109 – Microsoft Office Spoofing Vulnerability
This vulnerability existed by a ‘spoofed’ connection, in which Microsoft Office will receive a request from a webpage and will not validate the connection as it believes it to be legitimate. This CVE allowed an attacker to successfully read or write information into Office documents that had been compromised, allowing sensitive data to be leaked into the open. The solution to this was released in July 2019, in which it changed the way that Microsoft Office JavaScript will verify websites, only allowing those that are legitimate use cases and properly certified (SSL & HTTPS) to receive read/write connections into an office file.
A potentially dangerous use case for this (aside from the obvious malicious actor reads confidential information from a file) is a threat actor injecting malicious code through the write functionality of the authentication spooking inside of a file that would be widely distributed, allowing said code to infect and attack whoever it is distributed to (and those who open it). All the above stems from the fact that the application verified a user and action that should not have been valid, highlighting the dangers of a spoofing error. Securing your environment and monitoring requests are essential in ensuring validity of endpoints and maintaining safe access of documents.
Brace168 helped their clients create and remove policies that minimised their risk to this vulnerability, and if you are a business that requires assistance in doing so, please reach out!