[BreachExchange] New 0-Day Attack Targeting Windows Users With Microsoft Office Documents

[Sophia Kingsbury]

https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html

Microsoft on Tuesday warned of an actively exploited zero-day flaw
impacting Internet Explorer that's being used to hijack vulnerable Windows
systems by leveraging weaponized Office documents.

Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw
is rooted in MSHTML (aka Trident), a proprietary browser engine for the
now-discontinued Internet Explorer and which is used in Office to render
web content inside Word, Excel, and PowerPoint documents.

"Microsoft is investigating reports of a remote code execution
vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware
of targeted attacks that attempt to exploit this vulnerability by using
specially-crafted Microsoft Office documents," the company said.

"An attacker could craft a malicious ActiveX control to be used by a
Microsoft Office document that hosts the browser rendering engine. The
attacker would then have to convince the user to open the malicious
document. Users whose accounts are configured to have fewer user rights on
the system could be less impacted than users who operate with
administrative user rights," it added.

The Windows maker credited researchers from EXPMON and Mandiant for
reporting the flaw, although the company did not disclose additional
specifics about the nature of the attacks, the identity of the adversaries
exploiting this zero-day, or their targets in light of real-world attacks.

EXPMON, in a tweet, noted it found the vulnerability after detecting a
"highly sophisticated zero-day attack" aimed at Microsoft Office users,
adding it passed on its findings to Microsoft on Sunday. "The exploit uses
logical flaws so the exploitation is perfectly reliable (& dangerous),"
EXPMON researchers said.

However, it's worth pointing out that the current attack can be suppressed
if Microsoft Office is run with default configurations, wherein documents
downloaded from the web are opened in Protected View or Application Guard
for Office, which is designed to prevent untrusted files from accessing
trusted resources in the compromised system.

Microsoft, upon completion of the investigation, is expected to either
release a security update as part of its Patch Tuesday monthly release
cycle or issue an out-of-band patch "depending on customer needs." In the
interim, the Windows maker is urging users and organizations to disable all
ActiveX controls in Internet Explorer to mitigate any potential attack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210908/e0c8f9dd/attachment.html>