About CVE-2021-40444

Microsoft has recently published a security bulletin about the Microsoft MSHTML Remote Code Execution Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
Others urge anybody to apply the only workaround against this 0day because it has been publicly disclosed.

How would you do that by Group Policy on a domain joined device.

#Requires -RunasAdministrator
#Requires -Modules ActiveDirectory,GroupPolicy
[CmdletBinding()]
Param()
Begin{}
Process {
# Make sure we can reach the PDC
$PDC = (Get-ADDomainController Service 1 Discover ErrorAction SilentlyContinue).Hostname
if ($PDC) {
# Get the domain name
$DomainName = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name
# Create the GPO
try {
$GPO = New-GPO Name 'Workaround for CVE-2021-40444' Domain "$($DomainName)" ErrorAction Stop
} catch {
Write-Warning Message "Failed to create GPO because $($_.Exception.Message)"
}
if ($GPO) {
# Don't need user settings
$GPO.GpoStatus = [Microsoft.GroupPolicy.GpoStatus]::UserSettingsDisabled
$HT = @{ GUID = ($GPO).Id ; ErrorAction = 'Stop' }
# Zones
0..3 |
ForEach-Object {
$ZoneId = $_
1, # URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001)
4 | # URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004)
ForEach-Object {
$Value = $_
$reg = @{
Key = 'HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\{0}' -f $ZoneId
ValueName = '100{0}' -f $Value
Type = 'DWORD'
Value = 3
}
try {
Set-GPRegistryValue @HT @reg
} catch {
Write-Warning Message "Faile to set GPO setting because $($_.Exception.Message)"
}
}
}
}
}
}
End{}

If you look in the GPMC snap-in it looks like this:

Next steps are:
– you may need to add a filter if you want
– you may want to change the permissions, delegation…if required in your environement
– you need to link it on a OU or at another level so that the GPO actually applies to vulnerable computers
– wait for Microsoft. They will release a patch as soon as it’s ready

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.