Imminent danger from docx files: How to protect yourself (Update)

Security update available

Microsoft has released security updates to address this vulnerability. Please see the table at the bottom of this page to determine the update that is appropriate for your system.

Microsoft is currently warning customers about a serious security vulnerability in connection with docx files. The dangerous thing about this vulnerability is the fact that simply opening the respective Word file is sufficient to execute the malicious code and enable remote code execution. An additional activation of any macros is not necessary. Read on to find out how you can protect yourself from this danger.

How are the attacks carried out?

The criminals use a prepared ActiveX element as an attack vector, which they insert into Microsoft Word files. After opening the file, malicious code is then downloaded via the browser and infects the respective computer. In the cases observed, Cobalt Strike was loaded first, which is also used for threats from dangerous XLL files.

The vulnerability lies in the browser engine MSHTML (also called Trident), which enables the reloading mentioned. This engine is the HTML rendering engine of all versions of Internet Explorer on Windows systems. It was introduced with Internet Explorer 4 and is a core component of all versions of the browser.

It is also possible that users of other browsers are affected by the vulnerability.

What does Microsoft say?

The vulnerability can be viewed at Microsoft under the number CVE-2021-40444. As mentioned on the page, the vulnerability is already being actively exploited. Microsoft points out that no elevated rights or special requirements are necessary to carry out the attack.

How can you protect yourself?

NoSpamProxy protects through Content Disarm and Reconstruction (CDR)

NoSpamProxy users can protect themselves from dangerous docx files by configuring Content Disarm and Reconstruction (CDR) in a content filter action accordingly.

  1. Go to Configuration > Content filter > Content filter actions and click Add. 
  2. Create the content filter action and tick the checkbox Convert Word documents into PDF on the Content Disarm page.
  3. Make the further settings as required.
  4. Select the content filter action in the corresponding content filter entry.

You are now protected by CDR.

Be aware that the process of converting to PDF terminates with an error message. This is a normal behaviour and not a malfunction.

Disable ActiveX via Registry 

Microsoft is working on an official fix and until then recommends disabling ActiveX controls completely via the registry.

Be aware that ActiveX elements that are already active remain unaffected by this.