This Windows exploit can hijack your PC and there's no fix yet — what to do now [updated]

This Windows exploit tin hijack your PC and in that location's no gear up yet — what to exercise now [updated]

(Image credit: Shutterstock)

Updated Sept. 14, 2021, with prepare for this flaw equally part of September Patch Tuesday updates.

Earlier this week, Microsoft warned of a new zero-day exploit that lets attackers use booby-trapped Office 365 files to hijack any and all Windows PCs.

The Microsoft security informational for this flaw, catalogued equally CVE-2021-40444, said users should heed the Protected View warnings that Discussion, Excel or PowerPoint display when opening a file downloaded from the cyberspace, and to not click the "Enable Editing" push on such files.

Zelle scammers bilk banking company customers out of thousands — how to avert them
The best Windows ten antivirus software
Plus: The Framework Laptop is the future — and that's why I'm buying one

But the problem is really much worse than that and harder to defend against. Office isn't even necessary for this exploit to work. Just previewing a booby-trapped Rich Text Format (RTF) in File Explorer is enough to trigger the exploit, as CERT/CC vulnerability analyst Will Dormann demonstrated on Twitter yesterday (Sept. 9).

Inspired by @buffaloverflow, I tested out the RTF attack vector. And it works quite nicely.WHERE IS YOUR PROTECTED MODE Now? pic.twitter.com/qf021VYO2RSeptember nine, 2021

The actual attack mechanism for this exploit hasn't been publicly revealed, but several security researchers take replicated the exploit, which is also beingness actively used in attacks on what seem to exist mainly U.S. targets.

Microsoft may patch this flaw with next Tuesday'southward round of monthly updates, simply we won't know for certain until then. Windows seven, 8.1, ten and eleven are every bit vulnerable, as are all versions of Microsoft Office.

For the moment, home Windows users can minimize their exposure to this attack by disabling the outmoded Microsoft programming framework ActiveX in Role (we'll testify you how beneath) and by running one of the best antivirus programs.

Taking those steps will protect Office and will terminate known malicious files, but attackers could easily create new malicious files or use non-Role files. You'll but be playing whack-a-mole until Microsoft patches this.

The only sure-burn fashion to protect yourself from these attacks, at least until Sept. 14, is to completely disable ActiveX in the Windows Registry, the "main document" that governs each Windows system. That's a risky move unless you truly know what you're doing, but we'll show you how to do that besides.

How to disable ActiveX in Office 365/Microsoft Function

This will disable the ability to view spider web-based content in Discussion, Excel, PowerPoint or other Part applications.

Open Word document, Excel spreadsheet or PowerPoint presentation.
Click File in top left to reveal the left-hand navigation bar.
Scroll all the way downward and click Options.
Click Trust Centre in the left-manus navigation bar of the window that pops up.
Click the Trust Eye Settings button in the correct-mitt window.
Select ActiveX Settings in the left-manus navigation bar.
Select "Disable all controls without notification" in the right-mitt window.

How to disable ActiveX in Windows entirely

Alarm: This involves editing the Windows Registry, and one fault could severely mess up your build of Windows.

Equally Microsoft itself says in the advisory alert of this exploit, "yous may cause serious problems that may require you lot to reinstall your operating arrangement." Tom's Guide can't take responsibility if that happens to you lot, so continue at your own risk.

This volition also disable your ability to view spider web-based content in Give-and-take, Excel, PowerPoint or other Office applications, will cripple Internet Explorer, and may also affect File Explorer and other programs that come congenital into Windows. It will not affect Microsoft Border.

1. Brand sure yous're running Windows in a Administrator account.

2. Re-create and paste all of the following text into a text file, exactly equally written:

              Windows Registry Editor Version v.00  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0] "1001"=dword:00000003 "1004"=dword:00000003  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ane] "1001"=dword:00000003 "1004"=dword:00000003  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2] "1001"=dword:00000003 "1004"=dword:00000003  [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\three] "1001"=dword:00000003 "1004"=dword:00000003

3. Relieve the text file to your desktop with the ".reg" file extension. The name of the file doesn't matter — it's the extension that counts — but you lot could telephone call it "flaw-fix.reg" as one example.

4. Locate the file on your desktop and double-click it.

5. Click "Yes" in the window that pops upwardly warning you of all the bad things that could happen if you edit the Registry.

half-dozen. Reboot your PC.

What's going on here?

Back in the mid-1990s, Microsoft created a programming framework chosen ActiveX to compete with Java and JavaScript, 2 tools that were being widely used to create rich web content. It embedded ActiveX into MSHTML, the rendering engine that powered the Net Explorer web browser.

Today, neither ActiveX nor Internet Explorer are being developed, but MSHTML is still the default website rendering engine for Role and many default Windows programs, and that includes Windows xi. Hence, Give-and-take, Excel, PowerPoint, File Explorer and other mutual Microsoft applications use MSHTML and ActiveX.

Just think of each of those programs every bit having a mini-Net Explorer browser congenital in — whether or non IE is really itself installed on the system.

"Word uses MSHTML in a way which has near no security," wrote security expert Kevin Beaumont on Twitter this past Midweek (Sept. 8). " It's a pretty rich assault surface."

JS and ActiveX is trusted, because Discussion uses MSHTML in a mode which has well-nigh no security. It's a pretty rich attack surface.September 8, 2021

See more than

In this case, the attackers — idea to exist function of the BazarLoader malware campaign — are pumping out phishing emails with fastened Discussion documents that may be of interest to the recipients. One prime example seems to come from a lawyer in Minneapolis threatening that you're about to be sued in small-claims court.

That example might look like an obvious phishing email to many people, but attackers could scan your social media postings to craft a certificate that might be better at fooling you. As Dormann pointed out, they could go far an RTF file instead of an Part 1 to avert Protected View, or embed a Discussion doc in a Zip file or other compressed folder to besides avoid Protected View.

In one case the Office file or RTF file is opened, the web-based content in the file activates MSHTML, which then uses ActiveX to render the web content.

The attackers are creating customized, malicious ActiveX "controls," or programming modules, to hijack your PC, but Beaumont said on Twitter that he'd found a way to trigger the exploit without any new ActiveX controls.

Whatever the mechanism, the end result is that the malware using the exploit gains the aforementioned privileges on the organization as the electric current user. If you're running Windows equally a limited user without the power to install, update or delete applications or change system settings, and so the impairment volition be express. But if you're running Windows as an administrator, then the malware tin can truly take over your system.

The ultimate goal, at least in the current malware campaign, is to install the CobaltStrike backdoor on a system to create a permanent, hidden method of remote control.

Update: Microsoft patches this flaw with system update

Microsoft on Tuesday, Sept. 14 patched this flaw in its scheduled circular of Patch Tuesday updates. Patches are bachelor for Windows vii (in extended back up) through Windows 10 version 21H1.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has too been a dishwasher, fry melt, long-haul driver, lawmaking monkey and video editor. He'due south been rooting around in the data-security space for more than fifteen years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upwards in random TV news spots and even moderated a panel word at the CEDIA dwelling house-technology conference. Y'all can follow his rants on Twitter at @snd_wagenseil.