Microsoft has warned that attackers are actively exploiting a remote code execution vulnerability using malicious Office 365 and Office 2019 files across Windows 10.
The bug could be in MSHTML, the browser rendering engine that Office documents also use.
The vulnerability known as CVE-2021-40444 On Windows Servers from Windows Server 2008 through to Windows Server 2019 and Windows 8.1 to Windows 10 and has a severity level of 8.8 out of a maximum of 10.
The software giant is aware of targeted attacks that try to exploit the vulnerability by sending Office documents prepared specifically for potential victims.
The company said: An attacker could create a malicious ActiveX control to be used by an Office document hosting the browser’s rendering engine. The attacker then has to convince the user to open the malicious document.
However, the attack is thwarted if Office is running with the default configuration, as documents from the web are opened in Protected View or Application Guard mode for Office 365.
Protected View is a read-only mode in which most editing functions are disabled. Whereas, Application Guard quarantines untrusted documents, preventing them from accessing corporate resources, intranets, or other files on the system.
Systems with Microsoft Defender Antivirus and Defender for Endpoint active (version 1.349.22.0 and above) benefit from protection against CVE-2021-40444 exploits.
And the company’s enterprise security platform displays alerts about this attack with the name “Suspicious Cpl File Execution”.
Researchers from several cybersecurity companies are credited with finding and reporting the vulnerability: Hefei Lee of EXPMON, Danish Kizakkinan, Brice Abdo, Jinwe Jiang of Mandiant, and Rick Cole of Microsoft Security Intelligence.
Also Read: How to Run Windows 11 Via Web Browser
Microsoft warns of an attack that uses Office files
EXPMON (Exploit Monitoring Tool) said in a tweet that it discovered the vulnerability after discovering a highly sophisticated attack targeting Office users.
EXPMON researchers reproduced the attack across the latest version of Office 2019 and Office 365 across Windows 10.
The attackers used a DOCX file, and when opened, the document loaded Internet Explorer’s engine to display a remote web page from the threat’s destination.
The malware is then downloaded using an ActiveX control defined on the web page. The threat is also implemented using a trick called Cpl File Execution, referred to in Microsoft’s instructions.
Since there is no security update available at this time. The company offered the following workaround: disable the installation of all ActiveX controls in Internet Explorer.
Refreshing the Windows registry ensures that ActiveX is rendered inactive for all sites, while the available ActiveX controls continue to function.
Also Read: Microsoft Teams Gets Improvements for Remote Work