Why it matters: Microsoft has received reports of remote code execution (RCE) vulnerabilities (hackers are actively using CVE-2021-40444). The attack uses malicious Microsoft Office files that open an ActiveX control using the MSHTML browser rendering engine. Vulnerable systems include Windows Server 2008 to 2019 and Windows 7 to 10.
PM EXPMON targeted a very complex target #ZERO-DAY ITWACK targeted #Microsoft #Office users! For now, since there are no patches, we highly recommend Office users to be very careful about Office files - don't open them if you don't fully trust the source!- EXPMON (EXPMON_) Sep 7, 2021
The file discovered by Expmon was a Word document (.docx), but Microsoft did not indicate that the abuse was limited to Word files. Any document that can call MSHTML is a potential vector. Microsoft has not yet provided a solution to the security vulnerability, but has included some ways to reduce it in the error report.
In addition to opening Office documents, be careful, as running Microsoft Office in its default configuration will open files in Protected View mode, reducing attacks (Application Guard in Office 360). Additionally, Microsoft Defender Antivirus and Defender for Endpoint prevents abuse.
Microsoft also says that users can disable the installation of all ActiveX controls in Internet Explorer. This solution requires a registry (.reg) file that users can find in the error report. Executing a REG file moves the new entries to the Windows registry. A restart is required to apply the settings.
Microsoft Office Zero Day Vulnerability Allows Remote Active Code Execution