Mitigation for Whitelisting Bypass using regsvr32 - "White Register"

A researcher has discovered undocumented functionality in regsvr32 that allows for arbitrary code execution even in otherwise locked-down environments.

Regsvr32, which provides core OS functionality for Windows, has an option available to load scripts from arbitrary network locations.

The researcher's description of exploitation is found here

Please note, the exploit described does -not- make any changes to the registry; monitoring of registry entries will not be effective.

There is a possible IOC in that any .sct files loaded onto the machine may be present in the "Temporary Internet Files" folder - c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\

There is at this time no patch available, but mitigation is possible via the Windows Firewall. Block %systemroot%\System32\regsvr32.exe and %systemroot%\SysWoW64\regsvr32.exe from network access and the largest threat surface will be mitigated.

Please note that you may have to block -both- 32 and 64 bit versions to be protected.

Filtering out .sct files at your mailserver may be useful as well, to mitigate phishing risk.

There appear to be no significant side effects to normal operations from this mitigation.

This is a very severe vulnerability, as it allows for arbitrary code execution by a trusted program, and should be mitigated as soon as possible.