Microsoft warned on Tuesday that a zero-day defect that is being actively exploited affects Internet Explorer and is being used to hijack vulnerable Windows systems by taking advantage of armed Office documents.
Followed as CVE-2021-40444 (CVSS score: 8.8), the remote code execution error is rooted in MSHTML (also known as Trident), a browser engine that owns Internet Explorer that already is not available and is used in Office to render web content within Word, Excel, and PowerPoint documents.
“Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of the specific attacks that attempt to exploit this vulnerability using specially designed Microsoft Office documents,” the company said.
“An attacker could create a malicious ActiveX control that a Microsoft Office document hosting the browser rendering engine uses. The attacker should convince the user to open the malicious document. Users whose accounts are configured have fewer user rights on the system could be seen to be less affected than users operating with administrative user rights, ”he added.
The Windows maker credited EXPMON and Mandiant investigators with reporting the defect, although the company did not disclose additional details about the nature of the attacks, the identity of opponents exploding that day zero or their targets in the light. of real-world attacks. .
EXPMON, a tweet, noted that it found the vulnerability after detecting a “very sophisticated zero-day attack” targeting Microsoft Office users, adding that it transmitted its findings to Microsoft on Sunday. “Exploitation uses logical flaws, so exploitation is perfectly reliable (and dangerous),” EXPMON researchers said.
However, it is worth noting that the current attack can be suppressed if Microsoft Office is running with default settings, in which documents downloaded from the web are opened in Protected View or Application Guard for Office, which is designed to prevent untrusted files access trusted resources on the compromised system.
Microsoft is expected, once the investigation is complete, to release a security update as part of Patch Tuesday’s monthly release cycle or issue an out-of-band patch “based on customer needs”. Meanwhile, the Windows maker urges users and organizations to disable all ActiveX controls in Internet Explorer to mitigate any potential attacks.