In an advisory issued on Tuesday, Microsoft said some of its users were targeted by poisoned Office documents that exploit an unpatched flaw to hijack their Windows machines.
The vulnerability, CVE-2021-40444, is described as a hole in MSHTML, Internet Explorer’s browser engine. Miscreants are seemingly placing a malicious ActiveX control in an Office document and convincing victims to open or view it, potentially achieving remote code execution.
“Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows,” the IT giant stated.
“Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.”
It went on to say how others could also exploit the bug, for which no patch exists yet: “An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
The vulnerability was reported to Redmond on Sunday by the team at malware detection biz, EXPMON, who were credited with the discovery along with a Microsoft staffer and three researchers at security shop Mandiant. US CERT has also issued a warning for IT admins to protect their systems.
“We have reproduced the attack on the latest Office 2019/Office 365 on Windows 10 (typical user environment), for all affected versions please read the Microsoft Security Advisory,” EXPMON said. “The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous).”
Well, up to a point. Microsoft noted that there are mitigations already in place:
And its antivirus tools should be able to detect the exploit:
Microsoft is no doubt working on a patch though as a workaround, you can protect yourself further by disabling the installation of all ActiveX controls by altering the registry and rebooting. There are full details here. ®