Microsoft today fixed a high severity zero-day vulnerability actively exploited in targeted attacks against Microsoft Office and Office 365 on Windows 10 computers.
The remote code execution (RCE) security flaw, tracked as CVE-2021-40444, was found in the MSHTML Internet Explorer browser rendering engine used by Microsoft Office documents.
According to Microsoft, CVE-2021-40444 impacts Windows Server 2008 through 2019 and Windows 8.1 or later, and it has a severity level of 8.8 out of the maximum 10.
“Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately.”
Security updates released after built-in defenses bypassed
The targeted attacks detected by Microsoft tried to exploit the vulnerability by sending specially-crafted Office documents with malicious ActiveX controls to potential victims.
Luckily, these attacks were thwarted if Microsoft Office ran with the default configuration, which opens untrusted documents in Protected View mode (or with Application Guard for Office 365 customers).
However, as CERT/CC vulnerability analyst Will Dormann later told BleepingComputer, this built-in protection against CVE-2021-40444 exploits would likely be bypassed either by users ignoring Protected View warnings or by attackers delivering the malicious documents bundled within 7Zip archives or ISO containers.
Furthermore, Dormann also found that threat actors could exploit this vulnerability using maliciously-crafted RTF files, which don’t benefit from Office’s Protected View security feature.
How to apply the security updates
“Customers running Windows 8.1, Windows Server 2012 R2, or Windows Server 2012 can apply either the Monthly Rollup or both the Security Only and the IE Cumulative updates,” according to Microsoft.
“The Monthly Rollup for Windows 7, Windows Server 2008 R2, and Windows Server 2008 includes the update for this vulnerability. Customers who apply the Monthly Rollup do not need to apply the IE Cumulative update.
“Customers who only apply Security Only updates need to also apply the IE Cumulative update to be protected from this vulnerability.”
BleepingComputer independently confirmed that known CVE-2021-40444 exploits no longer work after applying today’s patches.
Those who cannot immediately apply today’s security updates should implement Microsoft’s workarounds (disabling ActiveX controls via Group Policy and preview in Windows Explorer) to reduce the attack surface.
Source – Bleepingcomputer.com