Microsoft warns flaw in Office and Internet Explorer used in attacks

Attackers are using specially-constructed Microsoft Office documents to exploit the in Windows 10 and Windows Server.

Microsoft has warned of a zero-day flaw present Windows 10 and some versions of Windows Server that is being actively exploited via Explorer and Microsoft Office.

The issue, which is called CVE-2021-40444, affects Microsoft MHTML (also known as Trident), the engine that powers Internet Explorer as well as some web functions in Microsoft Office programs.

According to the company, hackers are engaging in “targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.”

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document.”

Microsoft does note that its Defender antivirus software can detect and protect against the attack, and that users who have less than complete rights on a system are less vulnerable to the attack than administrators.

The company advises users to keep their security software up to date, and that it will issue a fix as soon as possible.

Security researchers have also said that Microsoft Office's Protected View, which is automatically enabled for documents downloaded directly from the internet, blocks attacks using this exploit. However, there are ways for attackers to avoid Protected View, such as by packaging a document in a zip archive.

Microsoft also said that disabling new ActiveX controls in Internet Explorer can mitigate the attack, though researcher Kevin Beaumont said on Twitter that he had found a way to bypass this measure.

Internet Explorer has been officially retired in favour of Microsoft's new browser, Edge, but its final iteration continues to receive security updates. The application will begin to be phased out of support for Windows 10 users in June 2022, but still makes up more than 2pc of global browser usage according to Kinsta.

Over the summer, Microsoft announced that Windows 11 will be released before the end of 2021.

You might also like

Comments are closed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More