How to Mitigate Microsoft Office’s Zero Day Attack


Once again, attackers used Office files in targeted attacks against Microsoft users. This time they used the Windows Explorer preview pane to deliver malicious .doc, .docm, and .docx files. Researchers have found that malicious .rtf files can also be used in such attacks. For this exploit, an attacker creates a malicious ActiveX control for use by a Microsoft Office document that hosts the browser rendering engine.

The attacker must convince a user to open the malicious document. So your first line of defense is a savvy user who doesn’t blindly open unexpected files. Additionally, Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protection for the known vulnerability. Your antivirus tools may also already include detections for this exploit.

Microsoft has released CVE-2021-40444 to track this vulnerability. Even when it’s fixed, don’t let your guard down. Instead, I recommend that you keep a protection key that many of us probably don’t do to protect ourselves from malicious Office files, including those used in this most recent exploit.

Microsoft Defender Attack Surface Reduction Rules

A vulnerability analyst at CERT / CC, Will Dorman, underline that using Microsoft Defender’s Attack Surface Reduction (ASR) rules is a better long-term way to protect against such attacks. You can do this in several ways.

You can use Group Policy to configure ASR rules. This parameter is available since version 1709 of Windows 10. The exploit begins with an ActiveX CAB to place a DLL in a known location on the targeted system. A .CPL URI is then used to execute this code. Microsoft’s mitigation focuses on blocking the ActiveX file so that it cannot be called into action. Using ASR rules not only protects you for the current exploit, but also for future similar exploits.

To activate this setting, select in order:

  1. “The configuration of a computer”
  2. “Administrative Templates”
  3. “Windows components”
  4. “Microsoft Defender Antivirus”
  5. “Microsoft Defender Exploit Guard”
  6. “Reduction of the attack surface”
  7. “Configure Attack Surface Reduction Rules” and make sure the value is set to “Enabled”

In earlier versions, “Microsoft Defender Antivirus” was referred to as “Windows Defender Antivirus”. so your group policy may need to be refreshed to follow the new name even though the old name will still work.

bradley officezero1 Susan bradley

Select “Show …” and check the rule ID in the “Value name” column and the desired state in the “Value” column is set as follows:

Value name: D4F940AB-401B-4EFC-AADC-AD5F3C50688A

Value: 1

bradley officezero2 Susan bradley

ASR features are available in Windows 10 Pro v1709 or later, Windows 10 Enterprise v1709 or later, Windows Server v1803 (Semi-Annual Channel) or later, and Windows Server 2019 or later. All ASR protections are available in Windows 10 Pro, but more reporting and monitoring features are available in enterprise SKUs.

If you prefer more targeted protection and only follow Microsoft-specific instructions, you can do so by disabling the installation of all ActiveX controls in Internet Explorer. You can do this for all sites by configuring Group Policy using your local Group Policy Editor or by updating the registry. In Group Policy, navigate in this order to:

  1. “The configuration of a computer”
  2. “Administrative Templates”
  3. “Windows components”
  4. “Internet Explorer”
  5. “Internet Control Panel”
  6. “Security page”

Select each zone (Internet zone, intranet zone, local machine zone, or trusted sites zone) and double-click “Download signed ActiveX controls and activate the policy”. Then set the option in the policy to “Disable”. Double-click on “Download unsigned ActiveX controls and activate the policy”. Then set the option in the policy to “Disable”.

Microsoft recommends that you set this for the Internet zone, the intranet zone, the local machine zone, and the trusted sites zone. If you rely on ActiveX for all internal functions, this will allow previously installed and deployed ActiveX controls to continue to function, but will block the installation and use of any new ActiveX controls in your systems. In my testing, I didn’t see any side effects with disabling ActiveX in this way. You can also use registry keys to disable these ActiveX controls.

Disable Windows Explorer Preview Pane

It is also recommended to turn off shell preview in Windows Explorer. I don’t activate the preview pane in Windows Explorer unless I have a specific need or task in mind. It slows down my computer if it’s on.

To disable both ActiveX and Windows Explorer views of .doc, .docm, .docx, and .rtf files, use the following registry key (also downloadable from this link):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones