Microsoft Warns of Active Attacks Using Malicious Office Documents
The Microsoft Security Response Center warned of active attacks leveraging a remote code execution vulnerability in Internet Explorer's Trident engine (MSHTML), per a Tuesday Twitter post.
The vulnerability, described in security bulletin CVE-2021-40444, is publicly disclosed and being exploited. It's rated 8.8 on the Common Vulnerability Scoring System. There's no patch yet available, but protection is afforded if organizations or individuals use Microsoft's automatic update service.
Organizations also are protected when using Microsoft's anti-malware products.
"Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability," Microsoft indicated.
Microsoft is currently investigating the vulnerability, and may issue a patch, either "out of band" (unscheduled) or during an "update Tuesday" release (patch release on the second Tuesday of a month). There's a workaround in the meantime, but it involves disabling all ActiveX controls in Internet Explorer.
An exploit can get triggered via "specially crafted Microsoft Office documents" that use a "malicious ActiveX" control, Microsoft explained. A successful attack apparently gives the attacker user rights on a system, but an end user would first need to open a malicious Office document for an attack to commence.
Here's how Microsoft expressed it:
The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft also indicated that mitigations are in place for organizations using Protected View or Application Guard for Office.
"By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack."
Protected View typically gets used with Office documents received via e-mail attachments, and it opens them in read-only mode. If a file opened in Protected View fails Microsoft's validation check, then end users get a warning that editing the file may harm their computers.
Application Guard, on the other hand, isolates the files via hardware-based virtualization. It allows end users to read, edit, print and save files. Microsoft recommends also using its Safe Documents service with Application Guard to determine if files are malicious outside of Application Guard's sandbox.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.