Microsoft Warns of Active Attacks Using Malicious Office Documents -- Redmondmag.com

Microsoft Warns of Active Attacks Using Malicious Office Documents

By Kurt Mackie
09/07/2021

The Microsoft Security Response Center warned of active attacks leveraging a remote code execution vulnerability in Internet Explorer's Trident engine (MSHTML), per a Tuesday Twitter post.

The vulnerability, described in security bulletin CVE-2021-40444, is publicly disclosed and being exploited. It's rated 8.8 on the Common Vulnerability Scoring System. There's no patch yet available, but protection is afforded if organizations or individuals use Microsoft's automatic update service.

Organizations also are protected when using Microsoft's anti-malware products.

"Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability," Microsoft indicated.

Microsoft is currently investigating the vulnerability, and may issue a patch, either "out of band" (unscheduled) or during an "update Tuesday" release (patch release on the second Tuesday of a month). There's a workaround in the meantime, but it involves disabling all ActiveX controls in Internet Explorer.

An exploit can get triggered via "specially crafted Microsoft Office documents" that use a "malicious ActiveX" control, Microsoft explained. A successful attack apparently gives the attacker user rights on a system, but an end user would first need to open a malicious Office document for an attack to commence.

Here's how Microsoft expressed it:

The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft also indicated that mitigations are in place for organizations using Protected View or Application Guard for Office.

"By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack."

Protected View typically gets used with Office documents received via e-mail attachments, and it opens them in read-only mode. If a file opened in Protected View fails Microsoft's validation check, then end users get a warning that editing the file may harm their computers.

Application Guard, on the other hand, isolates the files via hardware-based virtualization. It allows end users to read, edit, print and save files. Microsoft recommends also using its Safe Documents service with Application Guard to determine if files are malicious outside of Application Guard's sandbox.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.