Microsoft has recently issued a warning regarding an actively exploited zero-day vulnerability affecting Internet Explorer. This flaw is being utilized to compromise Windows systems by means of malicious Microsoft Office documents. Identified as CVE-2021-40444 with a CVSS score of 8.8, the vulnerability resides in MSHTML, a proprietary browser engine that powers the now-retired Internet Explorer, and is also leveraged by Microsoft Office applications to display web content in Word, Excel, and PowerPoint documents.
According to Microsoft, investigations have revealed instances of remote code execution exploits tied to this vulnerability. The company has noted that attackers are specifically crafting malicious Office documents to exploit users’ systems. “Microsoft is aware of targeted attacks attempting to leverage this vulnerability,” the company stated, acknowledging the potential risk to users and organizations.
In addressing the mechanism of the attack, Microsoft emphasized that an attacker could create a malicious ActiveX control embedded in a Microsoft Office document that calls upon the rendering engine. The success of such an attack hinges on the user being persuaded to open the compromised document. Organizations with user accounts configured to operate with lower privileges may find themselves somewhat shielded compared to those using accounts with administrative capabilities.
The vulnerability was reported by researchers from EXPMON and Mandiant, who identified a “highly sophisticated zero-day attack targeting Microsoft Office users.” Although specific details about the perpetrators or their targets remain undisclosed, EXPMON indicated that the exploit employs logical flaws, enhancing its reliability and potential danger. This disclosure, made in a tweet by EXPMON, highlights the pressing need for awareness surrounding the issue.
Microsoft noted that the attack could be mitigated if Office applications are configured with default settings that open web-downloaded documents in Protected View or utilize Application Guard for Office, which is aimed at preventing untrusted files from accessing sensitive system resources.
As the investigation progresses, Microsoft is expected to release a security update as part of its monthly Patch Tuesday cycle or issue an out-of-band patch, contingent upon the needs of its customer base. In the interim, the company advises users and organizations to disable all ActiveX controls in Internet Explorer to reduce susceptibility to attacks leveraging this vulnerability.
This incident underscores the need for organizations to remain vigilant regarding software vulnerabilities. The tactics likely employed in this attack align with several techniques outlined in the MITRE ATT&CK framework, including initial access via malicious document delivery, exploitation of the vulnerability to execute arbitrary code, and potentially establishing persistence in compromised systems.
As cybersecurity threats continue to evolve, business owners are reminded to bolster their defenses by remaining informed about the latest vulnerabilities and adopting best practices for securing their systems against emerging threats.
