Microsoft has just released an update that fixes 66 security vulnerabilities as part of this month’s Patch Tuesday. One of them is a critical zero-day vulnerability that hackers actively exploit through Office files that contain malicious ActiveX controls. A few days ago, Microsoft issued a warning about the defect after being warned by security investigators who discovered that the malicious actors were exploiting it by tricking potential victims into opening malicious Office files. When opened, the file automatically launches a page into Internet Explorer, which contains an ActiveX control that downloads malicious software to the victim’s computer.
When Microsoft issued the warning, it still did not have a solution and only asked users to make sure that Microsoft Defender Antivirus or Microsoft Defender for Endpoint were enabled. Both programs can detect attempts to exploit the vulnerability. Users are also advised to disable all ActiveX controls in Internet Explorer. The vulnerability known as CVE-2021-40444 affects Windows servers version 2008 and Windows 7 to 10. Security researchers showed that the operation is 100% reliable and that all it would take to infect a computer is to open the file sent by a hacker. Now, the new update will ensure that the defect can no longer be taken advantage of.
In addition to fixing CVE-2021-40444, the update also fixes two other critical flaws. As The Register points out, it fixes two remote code execution vulnerabilities for the Windows Automatic WLAN configuration service and the open management infrastructure.
All products recommended by Engadget are selected by our editorial team, regardless of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may get an affiliate commission.