微软AcitveX控件在Windows的Office套件、IE游览器中有广泛的应用,通常用来与MSHTMl组件进行交互。
Microsoft MSHTML引擎存在远程代码执行漏洞,攻击者可构造带有恶意ActiveX控件的Microsoft Office文档,并诱导目标用户打开该文档来利用。成功利用此漏洞的远程攻击者可在系统上以该用户的权限执行任意代码。
影响版本:
Windows 7 for x64-based Systems Service Pack 1
Windows 7 for 32-bit Systems Service Pack 1
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows RT 8.1
Windows 8.1 for x64-based systems
Windows 8.1 for 32-bit systems
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version 2004 (Server Core installation)
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
目前微软没有发布安全更新,目前仅提供了临时缓解措施,在默认情况下,Microsoft Office 在保护视图或Application Guard中打开来自Internet的文档,都可以防止当前的攻击。在 Internet Explorer 中禁用所有 ActiveX 控件的安装可以减轻这种攻击,可以通过更新注册表为所有站点应用。
具体操作步骤:
1.在单个系统上禁用 ActiveX 控件:
要禁止在 Internet Explorer 中的所有区域安装 ActiveX 控件,可以将以下内容粘贴到文本文件中并使用 .reg 文件扩展名保存:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"1001"=dword:00000003
"1004"=dword:00000003
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1001"=dword:00000003
"1004"=dword:00000003
2.双击 .reg 文件以将其应用到您的策略配置单元。
3.重新启动系统以确保应用新配置。
该措施可导致的影响:
这会将 64 位和 32 位进程的所有 Internet 区域的 URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) 和 URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) 设置为 DISABLED (3)。并不会安装新的 ActiveX 控件。以前安装的 ActiveX 控件将继续运行。
如何撤消解决此措施:
删除以上措施中添加的注册表项