Microsoft has warned that a zero-day vulnerability in its browser engine for Internet Explorer, MSHTML, is being actively exploited by attackers using “specially-crafted” Microsoft Office documents to run malicious code on a target’s system. There is currently no patch for the Office vulnerability, which has been designated CVE-2021-40444 and has a severity rating of 8.8 out of 10.
However, up-to-date Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and response for the vulnerability, the Redmond-headquartered company said in an advisory.
According to Microsoft, an “attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine”.
For the attack to be successful the user must first open the booby-trapped Microsoft Office 365 document. Users are not at risk if they open the document in Protected View or Application Guard.
Microsoft said the attack was of low complexity, which creates the risk of it being replicated by a higher volume of attackers, who could take a spray and pray approach. A successful attack grants full remote code execution, which could allow the attacker to install any kind of malicious software, such as ransomware or a crypto-miner.
The US Cybersecurity and Infrastructure Security Agency issued an advisory of its own, encouraging users and administrators to “implement the mitigations and workarounds”.
The CVE-2021-40444 exploit affects all current versions of Windows, including Windows 7, 8.1, and 10, as well as Windows Server 2008, 2012, 2016, 2019 and 2022.
“Although this attack does require user interaction, threat actors are likely to target victim organisations with tailored emails or attempt to exploit current news events for a higher success rate,” said Scott Caveza, research engineering manager at Tenable.
Accounts with administrator privileges were more likely to be targeted by attackers, said Microsoft.
While there is currently no fix for the flaw, Microsoft has provided a workaround for IT administrators who want peace of mind: disabling the installation of all ActiveX controls in Internet Explorer.
This can be done using Register Editor, but Microsoft cautioned that using it incorrectly may “cause serious problems” that can only by fixed by reinstalling the operating system.
“Use Registry Editor at your own risk”, Microsoft said.
The tech giant said it might provide an out-of-cycle security update for CVE-2021-40444.
Payman Armin, CISO at Veritas Technologies, said Microsoft is “undoubtedly working feverishly to patch this new MSHTML vulnerability”.
Sam Curry, chief security officer at Cybereason, said Microsoft’s size and ubiquity made it an attractive target for attackers: “If you’re an attacker and want victims, you go after the biggest footprint.”
According to GlobalData’s thematic scorecards, Microsoft is the highest-ranked company for enterprise security.
Curry added: “Microsoft should, by all means, do all it can to reduce [incidents such as these], but security should assume that any vendor can be compromised and be prepared for that eventuality.”
The Microsoft Office zero-day exploit was discovered by security researchers from Mandiant and EXPMON.