Researchers uncovered active exploitation of a zero-day remote code execution vulnerability in the main HTML component of the now-discontinued Internet Explorer browser. Microsoft warned that unknown hackers are exploiting the vulnerability tracked as CVE-2021-40444 to compromise vulnerable Windows systems by using weaponized Microsoft Office documents.
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft said in a security advisory.
ActiveX is a software framework from Microsoft that adapts its earlier Component Object Model and Object Linking and Embedding technologies for content downloaded from a network.
Zero-Day Flaw Discovery
The critical vulnerability CVE-2021-40444 was first discovered by exploit detection service provider EXPMON. The company stated that they found the issue after detecting a “highly sophisticated zero-day attack” targeting Microsoft Office users.
💥💥⚡️⚡️
EXPMON system detected a highly sophisticated #ZERO-DAY ATTACK ITW targeting #Microsoft #Office users! At this moment, since there’s no patch, we strongly recommend that Office users be extremely cautious about Office files – DO NOT OPEN if not fully trust the source!— EXPMON (@EXPMON_) September 7, 2021
Mitigation
Microsoft stated that systems with active Microsoft Defender Antivirus and Defender for Endpoint (build 1.349.22.0 and above) are protected against the exploits of CVE-2021-40444. “Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protection for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments,” said Microsoft in a statement.
Microsoft also confirmed that it will provide a security patch or an out-of-cycle security update after investigating the incident.
How Microsoft Plans to Protect Trusted Office Docs
Microsoft is also planning to boost the security of the Trusted Office Documents and prevent their misuse in malicious campaigns.
“We are changing the behavior of Office applications to enforce policies that block Active Content (ex. macros, ActiveX, DDE) on Trusted Documents. Previously, Active Content was allowed to run in Trusted Documents even when an IT administrator had set a policy to block it. As part of ongoing Office security hardening, the IT administrator’s choice to block Active Content will now always take precedence over end-user set trusted documents,” Microsoft stated.
