Microsoft has warned that cyber criminals are exploiting an Internet Explorer flaw to target victims with specially-crafted Microsoft Office documents.
The vulnerability tracked as CVE-2021-40444 is a remote code execution zero-day embedded in MSHTML, also known as the browser engine Trident that powers the now-retired Windows version of Internet Explorer.
It’s rated 8.8 out of ten on the CVSS scale and is under limited and targeted exploitation, according to a security alert released by the company.
Exploitation involves an attacker crafting a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.
ActiveX controls are small programmes, or add-ons, for Internet Explorer and other Windows applications used to build out feature sets and add more functionality.
Once the attacker has written the malicious ActiveX control, to successfully exploit this flaw they would need to convince a user to open the malicious file.
The vulnerability was first detected by Mandiant and EXPMON, with Microsoft refraining to disclose additional exploitation details as well as the identity of the victims exploited by the limited, targeted attacks.
EXPMON has described the exploit as “a highly sophisticated zero-day attack”, and has recommended that Microsoft Office users don’t open any files unless they trust the source.
RELATED RESOURCE
The firm has reproduced the attack on the latest Office 2019 and Office 365 suites on Windows 10. The researchers also said this exploit uses “logical flaws” so the exploitation is perfectly reliable and dangerous.
Users whose accounts are configured to have fewer user rights on the system won’t be as badly affected as those who retain administrative privileges, however.
There are a couple of additional mitigations that Microsoft has advised users could prevent exploitation, including opening all documents from the internet in Protected View or through Application Guard. Both of these methods will prevent the current attack.
The firm has also recommended that users disable the installation of all ActiveX controls in Internet Explorer. This can be accomplished for all sites by updating the registry. Previously installed ActiveX controls will continue to run, but these don’t expose this vulnerability.
Users need to take care, though, as using the Registry Editor incorrectly might lead to serious problems that require users to reinstall their operating systems.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
