The US authorities are urging IT teams to follow newly released guidance from Microsoft designed to help mitigate a flaw in Windows currently under active exploitation.
High severity remote code execution bug CVE-2021-40444 exists in Windows browser engine MSHTML. Microsoft revealed in a note yesterday that the vulnerability is being used in targeted attacks featuring specially crafted Office documents. It could enable a remote attacker to hijack an affected system.
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” it explained.
“The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
Although no patch is yet available, Microsoft said that, by default, Office opens documents from the internet in Protected View or Application Guard for Office, which will prevent the attack.
It added that organizations could also disable their installation of all ActiveX controls in Internet Explorer to mitigate the threat. This can apparently be done for all sites by updating the registry.
Reports suggest the attacks spotted in the wild are being launched against customers using Microsoft 365 and Office 2019 on Windows 10.
“Vulnerabilities like these tend to have extremely long lifetimes for exploitation in the wild, highlighting the need for security monitoring and periodic threat hunting,” warned Jake Williams, CTO at incident response firm BreachQuest.
An alert from the US Cybersecurity and Infrastructure Security Agency (CISA) yesterday urged users and administrators to implement the workarounds or mitigations suggested by Microsoft.