Microsoft warns flaw in Office and Internet Explorer used in attacks

Attackers are using specially-constructed documents to exploit the flaw in Windows 10 and Windows Server.

Microsoft has warned of a zero-day flaw present Windows 10 and some versions of Windows Server that is being actively exploited via Explorer and Microsoft Office.

The issue, which is called CVE-2021-40444, affects Microsoft MHTML (also known as Trident), the engine that powers Internet Explorer as well as some web functions in programs.

According to the company, hackers are engaging in “targeted that attempt to exploit this vulnerability by using specially-crafted documents.”

“An attacker could craft a malicious ActiveX control to be used by a document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document.”

Microsoft does note that its Defender antivirus software can detect and protect against the attack, and that users who have less than complete rights on a system are less vulnerable to the attack than administrators.

The company advises users to keep their security software up to date, and that it will issue a fix as soon as possible.

Security researchers have also said that Microsoft Office’s Protected View, which is automatically enabled for documents downloaded directly from the internet, blocks attacks using this exploit. However, there are ways for attackers to avoid Protected View, such as by packaging a document in a zip archive.

Microsoft also said that disabling new ActiveX controls in Internet Explorer can mitigate the attack, though researcher Kevin Beaumont said on Twitter that he had found a way to bypass this measure.

Internet Explorer has been officially retired in favour of Microsoft’s new browser, Edge, but its final iteration continues to receive security updates. The application will begin to be phased out of support for Windows 10 users in June 2022, but still makes up more than 2pc of global browser usage according to Kinsta.

Over the summer, Microsoft announced that Windows 11 will be released before the end of 2021.

You might also like More from author

Leave A Reply

Your email address will not be published.