影响范围
- Windows Server, version 20H2 (Server Core Installation)
- Windows Server, version 2004 (Server Core installation)
- Windows Server 2022 (Server Core installation)
- Windows Server 2022
- Windows Server 2019 (Server Core installation)
- Windows Server 2019
- Windows Server 2016 (Server Core installation)
- Windows Server 2016
- Windows Server 2012 R2 (Server Core installation)
- Windows Server 2012 R2
- Windows Server 2012 (Server Core installation)
- Windows Server 2012
- Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for x64-based Systems Service Pack 2
- Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
- Windows Server 2008 for 32-bit Systems Service Pack 2
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows RT 8.1
- Windows 8.1 for x64-based systems
- Windows 8.1 for 32-bit systems
- Windows 7 for x64-based Systems Service Pack 1
- Windows 7 for 32-bit Systems Service Pack 1
- Windows 10 for x64-based Systems
- Windows 10 for 32-bit Systems
- Windows 10 Version 21H1 for x64-based Systems
- Windows 10 Version 21H1 for ARM64-based Systems
- Windows 10 Version 21H1 for 32-bit Systems
- Windows 10 Version 20H2 for x64-based Systems
- Windows 10 Version 20H2 for ARM64-based Systems
- Windows 10 Version 20H2 for 32-bit Systems
- Windows 10 Version 2004 for x64-based Systems
- Windows 10 Version 2004 for ARM64-based Systems
- Windows 10 Version 2004 for 32-bit Systems
- Windows 10 Version 1909 for x64-based Systems
- Windows 10 Version 1909 for ARM64-based Systems
- Windows 10 Version 1909 for 32-bit Systems
- Windows 10 Version 1809 for x64-based Systems
- Windows 10 Version 1809 for ARM64-based Systems
- Windows 10 Version 1809 for 32-bit Systems
- Windows 10 Version 1607 for x64-based Systems
- Windows 10 Version 1607 for 32-bit Systems
漏洞类型
远程命令执行
利用条件
影响范围应用
漏洞概述
2021年9月8日,微软发布安全通告披露了Microsoft MSHTML远程代码执行漏洞,攻击者可通过制作恶意的ActiveX控件供托管浏览器呈现引擎的 Microsoft Office文档使用,成功诱导用户打开恶意文档后,可在目标系统上以该用户权限执行任意代码,微软在通告中指出已检测到该漏洞被在野利用,请相关用户采取措施进行防护。
MSHTML(又称为Trident)是微软旗下的Internet Explorer浏览器引擎,也用于Office应用程序,以在Word、Excel或PowerPoint文档中呈现Web托管的内容,AcitveX控件是微软COM架构下的产物,在Windows的Office套件、IE浏览器中有广泛的应用,利用ActiveX控件即可与MSHTML组件进行交互。
漏洞复现
出于安全规范,本文不给出具体利用过程,仅以证明为主,警示相关行业人员进行紧急修复!!!
命令执行:
社工钓鱼:
切勿打开任何来历不名的Office应用
安全建议
1、临时缓解
在Internet Explorer中禁用所有区域的ActiveX控件安装可缓解此漏洞攻击,可通过创建注册表文件禁用ActiveX控件(建议备份后再进行操作)
a、将以下方框中的内容粘贴到文本文件中并使用.reg文件扩展名保存
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003b、双击.reg 文件,将其应用到策略配置单元
c、重新启动系统以确保应用新配置
备注:如果要撤消此缓解措施,可以直接通过删除在实施此操作时添加的注册表项来实现
2、产品更新防护
目前Microsoft Defender Antivirus和Microsoft Defender for Endpoint都支持为已知漏洞提供检测和保护,请相关用户及时更新反恶意软件产品,使用自动更新的用户无需采取额外措施,管理更新的企业客户应选择检测版本1.349.22.0或更高版本,并在环境中进行部署,Microsoft Defender for Endpoint警报将显示为:"可疑的Cpl文件执行"