New 0-Day Attack Targeting Windows Users With Microsoft Office Documents

Microsoft on Tuesday warned of an actively exploited zero-working day flaw impacting Internet Explorer that’s becoming utilized to hijack vulnerable Windows programs by leveraging weaponized Workplace paperwork.

Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser motor for the now-discontinued Online Explorer and which is used in Place of work to render web articles inside of Word, Excel, and PowerPoint files.

“Microsoft is investigating experiences of a distant code execution vulnerability in MSHTML that has an effect on Microsoft Windows. Microsoft is conscious of specific attacks that attempt to exploit this vulnerability by utilizing specially-crafted Microsoft Office documents,” the corporation mentioned.

“An attacker could craft a destructive ActiveX control to be utilised by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to encourage the consumer to open up the malicious doc. Users whose accounts are configured to have fewer user legal rights on the technique could be less impacted than people who operate with administrative person rights,” it additional.

The Windows maker credited researchers from EXPMON and Mandiant for reporting the flaw, while the corporation did not disclose more particulars about the nature of the attacks, the identity of the adversaries exploiting this zero-working day, or their targets in gentle of authentic-earth assaults.

EXPMON, in a tweet, pointed out that they discovered the vulnerability right after detecting a “very innovative zero-day assault” aimed at Microsoft Business consumers, including it passed on its results to Microsoft on Sunday.

“The exploit uses reasonable flaws so the exploitation is properly dependable (& dangerous),” EXPMON scientists explained.

It can be, even so, really worth noting that the recent assault can be suppressed if Microsoft Office environment is operate with default configurations, wherein documents downloaded from the world wide web are opened in Shielded View or Software Guard for Workplace, which is made to prevent untrusted data files from accessing reliable assets in the compromised technique.

Microsoft, upon completion of the investigation, is envisioned to either launch a security update as aspect of its Patch Tuesday monthly release cycle or challenge an out-of-band patch “relying on purchaser demands.” In the interim, the Windows maker is urging users and organizations to disable all ActiveX controls in World-wide-web Explorer to mitigate any opportunity assault.

Fibo Quantum