IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers exploit Windows zero-day to target users with Office files

This ‘reliable and dangerous’ flaw is being abused to launch remote code execution attacks against specific targets

Microsoft has warned that cyber criminals are exploiting an Internet Explorer flaw to target victims with specially-crafted Microsoft Office documents.

The vulnerability tracked as CVE-2021-40444 is a remote code execution zero-day embedded in MSHTML, also known as the browser engine Trident that powers the now-retired Windows version of Internet Explorer. 

It’s rated 8.8 out of ten on the CVSS scale and is under limited and targeted exploitation, according to a security alert released by the company.

Exploitation involves an attacker crafting a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. 

ActiveX controls are small programmes, or add-ons, for Internet Explorer and other Windows applications used to build out feature sets and add more functionality. 

Once the attacker has written the malicious ActiveX control, to successfully exploit this flaw they would need to convince a user to open the malicious file. 

The vulnerability was first detected by Mandiant and EXPMON, with Microsoft refraining to disclose additional exploitation details as well as the identity of the victims exploited by the limited, targeted attacks.

EXPMON has described the exploit as “a highly sophisticated zero-day attack”, and has recommended that Microsoft Office users don’t open any files unless they trust the source. 

Related Resource

Ransomware report

The global state of the channel

Global state of the channel - ransomware report from DattoDownload now

The firm has reproduced the attack on the latest Office 2019 and Office 365 suites on Windows 10. The researchers also said this exploit uses “logical flaws” so the exploitation is perfectly reliable and dangerous.

Users whose accounts are configured to have fewer user rights on the system won’t be as badly affected as those who retain administrative privileges, however.

There are a couple of additional mitigations that Microsoft has advised users could prevent exploitation, including opening all documents from the internet in Protected View or through Application Guard. Both of these methods will prevent the current attack.

The firm has also recommended that users disable the installation of all ActiveX controls in Internet Explorer. This can be accomplished for all sites by updating the registry. Previously installed ActiveX controls will continue to run, but these don’t expose this vulnerability.

Users need to take care, though, as using the Registry Editor incorrectly might lead to serious problems that require users to reinstall their operating systems.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Microsoft identifies sophisticated Hive ransomware variant written in Rust
Security

Microsoft identifies sophisticated Hive ransomware variant written in Rust

6 Jul 2022
Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads
Microsoft Windows

Microsoft reportedly blocks Russian Windows 10 and Windows 11 downloads

20 Jun 2022
IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated
Business strategy

IT Pro News in Review: UK tech raises $16bn, Microsoft acquires Miburo, largest DDoS attack mitigated

17 Jun 2022
Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive
ransomware

Proofpoint details 'dangerous' ransomware flaw in SharePoint and OneDrive

17 Jun 2022

Most Popular

Universities are fighting a cyber security war on multiple fronts
cyber security

Universities are fighting a cyber security war on multiple fronts

4 Jul 2022
Hackers claim to steal personal data of over a billion people in China
data breaches

Hackers claim to steal personal data of over a billion people in China

4 Jul 2022
Latest LockBit ransomware strain 'strikingly similar' to BlackMatter
ransomware

Latest LockBit ransomware strain 'strikingly similar' to BlackMatter

4 Jul 2022