Microsoft’s embattled security response unit is scrambling to deal with another zero-day attack hitting users of its flagship Microsoft Office software suite.
The Redmond, Wash. software giant issued an urgent pre-patch advisory Tuesday to warn of a remote code execution vulnerability in MSHTML, the proprietary browsing engine built into the Office productivity suite.
“Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,” the company said bluntly.
As is customary, Redmond’s security response team did not provide additional details of the live attacks but there are enough clues in the attribution section of the advisory to suggest this is the work of nation-state APT actors.
Microsoft credited four different external researchers with reporting this exploit. Three of the four are affiliated with Mandiant, an anti-malware forensics firm that regularly documents high-end targeted attacks.
[ READ: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits ]
The company described the attacks as “targeted,” code-speak for the types of Windows malware implants used for government cyber-espionage or corporate data theft.
From Microsoft’s advisory on the CVE-2021-40444 vulnerability:
An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.
The company is recommending that Windows fleet administrators disable the installation of all ActiveX controls in Internet Explorer to mitigate the attack.
“Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs,” the company said.
This is the 62nd confirmed zero-day attack documented so far in 2021. According to data tracked by SecurityWeek, 20 of the 62 zero-days targeted code from Microsoft.
Related: Microsoft Patches 3 Under-Attack Windows Zero-Days
Related: Microsoft Raises Alarm for New Windows Zero-Day Attacks

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Sentra Raises $30 Million for DSPM Technology
- Saviynt Raises $205M; Founder Rejoins as CEO
- OpenVEX Spec Adds Clarity to Supply Chain Vulnerability Warnings
- Tenable Launches $25 Million Early-Stage Venture Fund
- VMware Plugs Critical Code Execution Flaws
- GoTo Says Hackers Stole Encrypted Backups, MFA Settings
- Apple Patches WebKit Code Execution in iPhones, MacBooks
- Thoma Bravo to Buy Magnet Forensics in $1.3B Transaction
Latest News
- Sentra Raises $30 Million for DSPM Technology
- Cyber Insights 2023: Cyberinsurance
- Cyber Insights 2023: Attack Surface Management
- Cyber Insights 2023: Artificial Intelligence
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- Guardz Emerges From Stealth Mode With $10 Million in Funding
- How the Atomized Network Changed Enterprise Protection
- Critical QNAP Vulnerability Leads to Code Injection
