micro$not, mshtml, and activex

back in the dark ages, when i was working at STLabs, before we moved to factoria (i.e. STLabs… so, what? maybe 1995? 1996? somewhere in there), i was testing Internet Explorer version 3.0, which meant, basically, that i was testing micro$not’s browser engine, which is called MSHTML.dll. at the time, a very good friend of mine from college, saint fred (now, sadly, passed on) was mucking about with the innards of micro$not’s operating system, and discovered a problem which had existed for several years prior to this, which micro$not had “made disappear” by changing the technology’s name from OLE — which was, itself, a “renamed” technology, originally called Visual Basic for Applications, or “VB-A” — to “ActiveX”, and, in the process of making it “disappear”, actually made it more prevalent and insidious, by making it work seamlessly with even more micro$not technology.

and, saint fred being who he was, took advantage of this by writing the “Exploder Control”, which could be embedded in a web page, or a microsoft document, and would, when “activated”, perform a clean shutdown of the computer on which it was being viewed… whether you wanted to shut down your computer, or not.

you hit this web page, and, within seconds, your computer shuts down, with no further input from you. 😏

or…

you open this microsoft word document, and, within seconds, your computer shuts down, with no further input from you. 🤣

i watched it happen as it first came out, before anybody realised what it was. it was hillarious! i gave the URI for the exploder control to my boss, and then went back to my workstation and listened, as she suddenly whined “it shut down my computer!” 🤣🤣🤣

and, of course, micro$not’s response to this was to threaten saint fred with lawsuits for doing stuff he shouldn’t have been doing, and when that didn’t work (because fred made sure that the exploder did everything strictly “by the book”, including getting micro$not’s signature on the control), they made the exploder control something that was detected by their anti-virus software (even though it was very clearly NOT a virus, and, actually, did everything totally “by the book”, something to which micro$not never admitted), and, once they figured out that they had caused all of this, they pulled their signature on the control, so that it raised even more red flags before actually activating it…

and, basically, did everything EXCEPT fix the problem, which, after a few months of frantic ass-covering by micro$not’s marketing department, while the tech industry had a good laugh, got swept under the rug, anyway, by more current micro$not fiascos.

but the technology remained, and every version of windows has support for activex, every version of MSHTML.dll has support for activex (which is one of the reasons micro$not got rid of MSHTML.dll a couple years ago, and current versions of Internet Exploder… um… what’s their browser called again? EDGE, that’s it… uses google’s “chrome” browser engine, instead. the browser wars are over! micro$not LOST!) and you can, literally, do ANYTHING with activex, that you could do from the normal user interface of windows, and there is, literally, NOTHING stopping you from doing this — or other, more nefarious things — given A LITTLE knowledge of the technology.

which is why, when i saw this headline: Miscreants fling booby-trapped Office files at victims, no patch yet, says Microsoft the FIRST THING i thought was “Exploder Control strikes again!”

this is one of the VERY BIG reasons i do not use micro$not on my computers. i don’t even have my microsoft 5-button mouse any longer!

i wonder if they’ll ever learn. 🙄

Miscreants fling booby-trapped Office files at victims, no patch yet, says Microsoft
ActiveX and MSHTML, the gift that keeps on giving … to intruders
Iain Thomson in San Francisco
Sep 2021 // 22:20 UTC

In an advisory issued on Tuesday, Microsoft said some of its users were targeted by poisoned Office documents that exploit an unpatched flaw to hijack their Windows machines.

The vulnerability, CVE-2021-40444, is described as a hole in MSHTML, Internet Explorer’s browser engine. Miscreants are seemingly placing a malicious ActiveX control in an Office document and convincing victims to open or view it, potentially achieving remote code execution.

“Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows,” the IT giant stated.

“Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.”

It went on to say how others could also exploit the bug, for which no patch exists yet: “An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

The vulnerability was reported to Redmond on Sunday by the team at malware detection biz, EXPMON, who were credited with the discovery along with a Microsoft staffer and three researchers at security shop Mandiant. US CERT has also issued a warning for IT admins to protect their systems.

“We have reproduced the attack on the latest Office 2019/Office 365 on Windows 10 (typical user environment), for all affected versions please read the Microsoft Security Advisory,” EXPMON said. “The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous).”

Well, up to a point. Microsoft noted that there are mitigations already in place:

By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack.

And its antivirus tools should be able to detect the exploit:

Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.

Microsoft is no doubt working on a patch though as a workaround, you can protect yourself further by disabling the installation of all ActiveX controls by altering the registry and rebooting. There are full details here.