News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Zero day CVE 2021-40444

    Home Forums AskWoody blog Zero day CVE 2021-40444

    Viewing 6 reply threads
    • Author
      • #2388993
        Susan Bradley

        What is it? It’s (yet another) zero day attack that is a TARGETED only attack using Office and RTF file  to take ownership of your machine. Microsoft
        [See the full post at: Zero day CVE 2021-40444]

        Susan Bradley Patch Lady

        5 users thanked author for this post.
      • #2389028
        AskWoody MVP

        For Pro/Edu/Ent editions, you can opt to adjust ActiveX controls via Group Policy to all zones, which is Microsoft’s recommended method.

        In Group Policy settings, navigate to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page

        For each zone:

        Select the zone (Internet Zone, Intranet Zone, Local Machine Zone, or Trusted Sites Zone).

        Double-click Download signed ActiveX controls and Enable the policy. Then set the option in the policy to Disable.

        Double-click Download unsigned ActiveX controls and Enable the policy. Then set the option in the policy to Disable.

        We recommend applying this setting to all zones to fully protect your system.

        Impact of workaround.

        This sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) for all internet zones for 64-bit and 32-bit processes. New ActiveX controls will not be installed. Previously-installed ActiveX controls will continue to run.

        How to undo the workaround

        Set the option in the policy to Enable.


        | Quality over Quantity |
        3 users thanked author for this post.
      • #2389049
        AskWoody MVP

        We know not to turn on preview pane in Outlook.

        I would hazard a guess that most Outlook users have the preview pane enabled.

        But isn’t it relevant that most Office users also have the default Protected View?


        By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack. For information about Protected View, see What is Protected View?.

        Windows 10 Pro version 21H2 build 19044.1263 + Microsoft 365 (group ASAP)

        2 users thanked author for this post.
      • #2389066
        Rick Corbett

        To enable this protection click on THIS registry file.

        This downloads a REG file called EnableZerodayCVE-2021-40444.reg.

        To clarify… this REG file does NOT enable the vulnerability, despite its name. It DISABLES it, i.e. prevents the vulnerability from occurring.

      • #2389793
        AskWoody Plus

        The only time I use RTF’s is in WordPad (Win 7).  Is WordPad in any danger?

      • #2390190
        AskWoody Lounger

        The only time I use RTF’s is in WordPad

        No worry.  Wordpad does not execute code.

        1 user thanked author for this post.
      • #2390844
        AskWoody Lounger

        Microsoft patched this vulnerability 09/14 for most flavors of OS Server and Workstations.
        In our Windows 10 1909, Server 2012 R2, and Server 2016 test group  IE11 will not start after applying the respective patches.  When IE11 is launched a white screen without any text or controls appears on the screen.  Nothing logged indicating something has been blocked.  The patches are:
        Win10 1909 Sep Cumulative 5005566
        Server 2012 R2 Sep Security Only KB5005627 and IE Cumulative KB5005563
        Server 2016 Sep Cumulative KB5005573

        Appreciate feedback if anyone else has seen this.

    Viewing 6 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Zero day CVE 2021-40444

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.