Microsoft warns of actively exploited Windows Zero Day security vulnerability

In a security advisory, Microsoft warned that malicious hackers were exploiting an unpatched vulnerability in Windows to launch targeted attacks against organizations.

The security vulnerability, dubbed CVE-2021-40444, is a previously unknown remote code execution vulnerability in MSHTML, a core component of Windows that enables web content to be rendered.

According to Microsoft, the attacks exploiting the vulnerability have targeted businesses through trapped Microsoft Office documents.

In short, a typical infection timeline might look like this:

• One of your users downloads or receives a trapped Microsoft Office file. Maybe they are socially designed to click on a malicious link or find the poisoned file in their inbox.
• User opens Microsoft Office file to view its contents, but it contains a built-in malicious ActiveX control.
• The ActiveX control exploits the Windows bug MSHTML to gain the same level of control as the user, after which it installs the malware of the attacker’s choice.

The Microsoft security team explains that users who do not have administrative rights can reduce the impact of an attack:

An attacker could create a malicious ActiveX control for use by a Microsoft Office document that hosts the browser rendering engine. The attacker should then convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system might be less impacted than users who work with administrative user rights.

EXPMON researcher Haifei Li who reported his discovery of the “dangerous” vulnerability to Microsoft on Sunday, and that it was being exploited in nature attacks, informed, in the absence of an official fix, that “Office users are extremely careful with Office files – DO NOT OPEN if they do not fully trust the source!” “

To reduce the risk, Microsoft advises system administrators to apply registry settings on their network that prevent new ActiveX controls from running. Previously installed ActiveX controls will continue to run, but do not expose this vulnerability.

Microsoft is expected to release its regular monthly batch of security fixes on Tuesday of next week, and many organizations are hoping that an appropriate permanent fix for zero-day vulnerability CVE-2021-40444 is included.

Editor’s Note: The views expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.