Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Microsoft Office Zero-Day Hit in Targeted Attacks

Microsoft’s embattled security response unit is scrambling to deal with another zero-day attack hitting users of its flagship Microsoft Office software suite.

Microsoft’s embattled security response unit is scrambling to deal with another zero-day attack hitting users of its flagship Microsoft Office software suite.

The Redmond, Wash. software giant issued an urgent pre-patch advisory Tuesday to warn of a remote code execution vulnerability in MSHTML, the proprietary browsing engine built into the Office productivity suite.

“Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,” the company said bluntly.

As is customary, Redmond’s security response team did not provide additional details of the live attacks but there are enough clues in the attribution section of the advisory to suggest this is the work of nation-state APT actors.

Microsoft credited four different external researchers with reporting this exploit. Three of the four are affiliated with Mandiant, an anti-malware forensics firm that regularly documents high-end targeted attacks.

[ READ: Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits ]

The company described the attacks as “targeted,” code-speak for the types of Windows malware implants used for government cyber-espionage or corporate data theft.

From Microsoft’s advisory on the CVE-2021-40444 vulnerability: 

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.

The company is recommending that Windows fleet administrators disable the installation of all ActiveX controls in Internet Explorer to mitigate the attack.

“Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs,” the company said.

This is the 62nd confirmed zero-day attack documented so far in 2021. According to data tracked by SecurityWeek, 20 of the 62 zero-days targeted code from Microsoft.

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days

Related: Microsoft Raises Alarm for New Windows Zero-Day Attacks

Related: Did Microsoft Botch the PrintNightmare Patch?

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.