This article is more than 1 year old

Miscreants fling booby-trapped Office files at victims, no patch yet, says Microsoft

ActiveX and MSHTML, the gift that keeps on giving ... to intruders

In an advisory issued on Tuesday, Microsoft said some of its users were targeted by poisoned Office documents that exploit an unpatched flaw to hijack their Windows machines.

The vulnerability, CVE-2021-40444, is described as a hole in MSHTML, Internet Explorer's browser engine. Miscreants are seemingly placing a malicious ActiveX control in an Office document and convincing victims to open or view it, potentially achieving remote code execution.

"Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows," the IT giant stated.

"Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents."

It went on to say how others could also exploit the bug, for which no patch exists yet: "An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

The vulnerability was reported to Redmond on Sunday by the team at malware detection biz, EXPMON, who were credited with the discovery along with a Microsoft staffer and three researchers at security shop Mandiant. US CERT has also issued a warning for IT admins to protect their systems.

"We have reproduced the attack on the latest Office 2019/Office 365 on Windows 10 (typical user environment), for all affected versions please read the Microsoft Security Advisory," EXPMON said. "The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous)."

Well, up to a point. Microsoft noted that there are mitigations already in place:

By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack.

And its antivirus tools should be able to detect the exploit:

Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.

Microsoft is no doubt working on a fix – perhaps in time for next week's Patch Tuesday – though as a workaround for now, you can protect yourself further by disabling the installation of all ActiveX controls by altering the registry and rebooting. There are full details here. ®

More about


Send us news

Other stories you might like