Skip to content ↓ | Skip to navigation ↓

In a security advisory, Microsoft has warned that malicious hackers are exploiting an unpatched vulnerability in Windows to launch targeted attacks against organisations.

The security hole, dubbed CVE-2021-40444, is a previously unknown remote code execution vulnerability in MSHTML, a core component of Windows which helps render web-based content.

According to Microsoft, attacks exploiting the vulnerability have targeted companies via boobytrapped Microsoft Office documents.

In short, a typical timeline of infection might go something like this:

  • One of your users downloads or receives a boobytrapped Microsoft Office file. Perhaps they are socially-engineered into clicking on a malicious link, or find the poisoned file in their inbox.
  • The user opens the Microsoft Office file to view its contents, but it contains an embedded malicious ActiveX control.
  • The ActiveX control exploits the bug in Windows MSHTML to gain the same level of control as the user, whereupon it installs malware of the hacker’s choice.

Microsoft’s security team explains that users who are not running with administration rights can reduce the impact of an attack:

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Researcher Haifei Li of EXPMON who reported their discovery of the “dangerous” vulnerability to Microsoft on Sunday, and that it was being exploited in in-the-wild attacks, advised, in the absence of an official patch, that “Office users be extremely cautious about Office files – DO NOT OPEN if not fully trust the source!”

To reduce the risk, Microsoft advises that system administrators enforce registry settings across their network that prevents new ActiveX controls from running. Previously installed ActiveX controls will continue to run, but do not expose this vulnerability.

Microsoft is scheduled to release its regular monthly bundle of security patches on Tuesday next week, and many organisations will be hoping that a proper, permanent fix for the CVE-2021-40444 zero-day vulnerability is included.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.