Microsoft has acknowledged a Windows zero-day vulnerability in MSHTML that allows for remote code execution when exploited. The issue affects all versions from Windows 7 through Windows 10 and the corresponding Windows Server releases. The company is tracking the vulnerability under CVE-2021-40444 in MSRC and adds that it is aware of “targeted attacks” that are achieved by creating malicious Office documents that exploit the vulnerability. The issue has been given a score of 8.8.
The firm adds in the details that an attacker could create an ActiveX control to be used by Office’s MSHTML browser rendering engine, which when opened by the user could allow for remote code execution. However, those that use the default option to open files from the internet in Protected View or via Application Guard for Office will be able to fend off the attack. Additionally, Microsoft Defender Antivirus and Defender for Endpoint can successfully detect the threat. The Defender for Endpoint alert displayed for this threat is “Suspicious Cpl File Execution”.
Another workaround posted by the firm involves disabling the installation of all ActiveX controls via the registry. The firm notes that the change will not affect controls that were already installed but will still be protected. You can head to the workarounds section in the MSRC post for the detailed workaround and the resulting impacts.
As for a permanent fix or mitigation, Microsoft says that it will take an “appropriate action” on completion of its investigation. This might come in the way of fixes during next week’s Patch Tuesday updates or via an out-of-band security update before the scheduled monthly patches. A researcher from one of the cybersecurity organization that helped uncover this vulnerability, Haifei Li, said in a statement to BleepingComputer that the attach method is “100% reliable”, making it a significant risk. EXPMON researches could also reproduce the attack on Windows 10 running the latest Office 365 build.
Another Office-related issue reported this week involved a bug in Outlook that allowed suspicious email IDs seem genuine, opening users to potential phishing attacks. While the firm denied fixing the vulnerability, it reportedly did so in the latest version.