• Zero day CVE 2021-40444

    What is it?

    It’s (yet another) zero day attack that is a TARGETED only attack using Office and RTF file  to take ownership of your machine. Microsoft has updated it’s security advisory with mitigation advice.

    Who is getting attacked?

    At this time just targeted folks – meaning large companies, governmental entities, I’m not seeing widespread buzz that it’s being widely seen. I’m not seeing chatter that it’s impacting smaller firms or individual users at this time.

    What if I want to protect myself just in case?

    I’ve put together a registry key to fully enable all of the protections which include disabling word documents and rtf files in the preview pane.

    To enable this protection click on THIS registry file.

    Download THIS file to reenable it should Microsoft patch it next Tuesday.

    What does the enable registry key do?

    I bundled all of the settings included in that advisory in one reg file.   Note while I did include the setting for removing [-HKEY_CLASSES_ROOT\.docm\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}]  for the docm value in my registry my system didn’t have that value from the get go. Yours may have it so I’ve included it in the registry file.

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]




    What does the reenable reg file do?

    It removes the Internet Settings and then puts all of those values regarding ShellEx back.

    Are there any side effects after making these registry changes?

    Honestly I didn’t see any, but then again, I don’t enable the preview pane in Windows Explorer in the first place.  I’ve only enabled it if I have a special project and I need to see a bunch of images. 99.9999999% of the time I don’t have it enabled.

    So why aren’t you sending out an AskWoody alert?

    Well I strongly believe that the AskWoody folks are smarter than the average bear. You know that you shouldn’t be clicking blindly on Office files. You know you shouldn’t be blindly opening up .rtf files. You probably don’t turn on preview pane in Windows explorer anyway.  I don’t. I find that it slows my computer down.  We know not to turn on preview pane in Outlook.

    Bottom line, if I see more chatter and change my mind I’ll let you know. But for now, I know that you are too smart to fall for this.  Look for more information in Monday’s newsletter.

    (Impacts all supported versions of Windows including Windows 11)

    Want to get alerted when the AskWoody MS-DEFCON status changes?

    MS-DEFCON Alert system

    If you want to get alerted when the MS-DEFCON status changes there are two ways to do so:

    Twitter:  https://twitter.com/defconpatch Sign up for twitter and follow that account. Then set up notifications in the twitter app so that you get alerted when the account tweets a change. COST:  free – other than now having a twitter account but I honestly find that some of the best security information and advice is freely given on twitter. You can also follow the official Askwoody twitter account as well.

    Cell phone notifications via text:  You need to be a PLUS member to get the fullest benefit from this service.  We request a small fee requested (along the lines of the decide what you want to pay as the main site has) in order to cover the costs of the monthly texting service and server hosting. Click here to sign up. COST:  We ask a minimum of $1 a month to keep the lights on and the chipmunks powering the servers fed, but if you’d like to donate more to the cause we’d all be appreciative!