Using ThreatLocker to Mitigate CVE-2021-40444

6 min. readlast update: 10.11.2021

ThreatLocker is currently undergoing testing of the use of the CVE-2021-40444 vulnerability. This vulnerability allows an attacker to launch Internet Explorer from Microsoft Office and run a malicious ActiveX control (.ocx file). 

The malicious files taking advantage of this exploit attempt to download and run an executable. As long as your device is secured with a default - deny policy, TL will not allow the malicious executable to run.  

Our investigation is still ongoing to create more default/suggested policies to better secure systems. 

The current default Internet Explorer ThreatLocker Ringfencing policy will prevent Internet Explorer from being able to encrypt your files. 

undefined

In addition to this default policy, ThreatLocker also recommends the following precautions depending on your specific environment and needs:

Blocking Internet Explorer

Internet Explorer is a vulnerable and unsupported web browser. If your environment does not call for the use of Internet Explorer, it should be blocked. By default, there is a policy to allow Internet Explorer at both the Server and Workstation levels. You can change each of these to a 'Deny' policy, or you can create a new policy at the global level to block IE across all of your organizations if it isn't needed anywhere. Navigate to Application Control > Policies. Find the Internet Explorer policy under your workstations or servers group. Click the pencil icon (edit button) next to the policy name.

undefined

Under 'Should this policy permit or deny execution?' select 'Deny'. And under 'Status' select 'Secured' so that even if your computers are in Learning, Installation, or Monitor mode this policy will be enforced.

undefined

Under 'Do you want this policy to apply to the entire organization or a selected computer group?', you can select the level at which you want to block Internet Explorer. Select 'Global' to deny IE everywhere. 

undefined

Click the 'Save' button in the top left. You will need to click the 'Deploy Policies' button. If you have set this globally, you will need to navigate to the Organizations page, select all your organizations, and then click the 'Deploy Policies' button on that page.

undefined

Ringfencing Internet Access for Internet Explorer

If your environment does call for the use of Internet Explorer, limit the websites it can access. This way, users will not be able to access malicious websites. Navigate to Application Control > Policies. Select your Internet Explorer policy and click the pencil icon (edit button) next to it. Scroll down to the 'Internet' tab.  

undefined

Select the checkbox next to 'Restrict these applications from accessing the internet, except for the below rules'. Then you will type in the exclusions you want to allow access to, and you can use wildcards as needed. You can use IPv4 addresses, with or without CIDR notation, IPv6 addresses, or domain names. Be sure to click 'Add' after each entry. It is important to note that if you are specifying domain names, you should not put a wildcard at the end of the address. That would open the possibility that a compromised application could reach out to a domain that begins the same as a legitimate domain. (e.g. allowing www.google* could result in allowing www.google.bad.com)  

undefined

Click the 'Save' button in the top left. You will need to click the 'Deploy Policies' button. If you have set this globally, you will need to navigate to the Organizations page, select all your organizations, and then click the 'Deploy Policies' button on that page. 

For more information on Ringfencing internet access, please see our associated article here

Ringfencing Internet Access for Microsoft Office 

You should also limit Microsoft Office from accessing the internet except for the sites it needs to access. The same as above, navigate to Application Control > Policies. Select the pencil icon (edit button) next to your Microsoft Office policy. Scroll down to the 'Internet' tab. Here you can add any IPv4, IPv6, or domains, like above.  

If you are unsure of what sites Microsoft Office needs to access on the internet, you can either put the policy in Monitor Mode, this will disable Ringfencing blocks during a period, or add a wildcard to a custom rule, and then review the Unified Audit a few days later to see what IP addresses and hostnames Microsoft Office tried to access. If you are still running in Learning Mode, there is no reason to do either as the policy will monitor only, and learn. 

ThreatLocker has a built-in tag for Microsoft 365 that contains the IP addresses needed by Microsoft 365. If you would like to apply this convenient tag to your Office policy, select the 'Custom Rules' tab under 'Internet'. Any custom tags you have created, or built-in tags will be visible in the dropdown below 'Server'. Select the correct tag and click 'Add'. If you have added anything in the 'Custom Rules' tab, you will need to restart Microsoft Office before the changes will take effect.

undefined

For adding individual addresses, subnets, or domain names, you should use the 'Exclusions' tab as it is much more efficient to manage.  

Once you have added all your addresses, click the 'Save' button. You will need to click the 'Deploy Policies' button. If you have set this globally, you will need to navigate to the Organizations page, select all your organizations, and then click the 'Deploy Policies' button on that page. 

Blocking OCX Files

Create a storage policy to prevent the execution of all .ocx files. Navigate to Storage Control > Policies. Select 'New Storage Policy'.

undefined

Name your new policy. In the example below, we chose Deny ActiveX.

undefined

Select 'Deny' and 'Read & Write' under 'What should this policy do?'.  

undefined

If you do not need ActiveX controls anywhere in your organization, select 'Apply to entire organization'.

In the 'What paths should this apply to' are, type *.ocx and then click 'Add'. This is stating that any file name on any path that ends in .ocx will be denied. 

undefined

You can leave all other settings at their default selections. At the very bottom under 'Do you want to send an email when this policy is matched?' you can select 'Yes' if you would like to be alerted whenever any .ocx file is attempted to be read or written in your environment.

undefined

Click the 'Save' button in the top left. Be certain to click the 'Deploy Policies' button. If you have elected to place this policy at the global level, be sure you navigate to the Organizations page, select all organizations, and then use the 'Deploy Policies' button located there.

If you are unsure of where to place the above policies, please contact the Cyber Heroes. They will assist you in making the most secure rules that will allow normal everyday business to continue to transpire.

Was this article helpful?