Any protection update against CVE-2021-40444 in exploit prevention. of endpoint Security and control 10.8

Question

as subject

LHerzog · Accepted Answer

I did a live query with the suggested code from the article and it gives me 
 Complete, no data sent 
 for all endpoints. 
 The reg keys are not present. So there should be some message like "ActiveX setting does not match the Microsoft recommendation" 
 SELECT name, type, data, datetime(mtime, 'unixepoch', 'localtime') AS registryWriteTime,
CASE
 WHEN data = '3' THEN 'ActiveX set to DISABLED as recommended by Microsoft'
 ELSE 'ActiveX setting does not match the Microsoft recommendation'
END AS mitigationStatus
FROM registry
WHERE path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%\1001' 
OR path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%\1004'

Qoosh · Answer

Hello Timothy, 
 Thank you for contacting the Sophos Community. Sophos has released the following news article regarding this vulnerability. - https://nakedsecurity.sophos.com/2021/09/08/windows-zero-day-mshtml-attack-how-not-to-get-booby-trapped/ 
 Within the article the following AV detection names are outlined. You can also see "CXmail/CXweb" detections generated from matching files. 
 Exp/2140444-A Troj/JSExp-W Troj/Cabinf-A Troj/Agent-BHRO Troj/Agent-BHPO & 
 Intercept X has a behavioral detection that corresponds with the behavior of the exploit itself. 
 Any web-servers seen in the attacks will have their IP addresses re-classified as "C2" destinations, or "Malware/Callhome". 
 
 Kushal Lakhan 
 Global Community Support Engineer | Global Community Team Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' link.

Any protection update against CVE-2021-40444 in exploit prevention. of endpoint Security and control 10.8

Top Replies