Microsoft warns against actively abused zero-day in Office 365 and Office 2019
Microsoft warns that hackers are actively exploiting a vulnerability in Office 365 and Office 2019. The vulnerability is in Mshtml, a browser renderer from Internet Explorer, which is also used for Office documents.
The vulnerability affects Windows 8.1 and Windows 10, and Windows Server versions from 2008 to 2019, according to a Microsoft advisory. Hackers would send modified Microsoft Office documents to victims to exploit the vulnerability. If users open those documents without security features, the vulnerability would allow remote code execution. The vulnerability is classified as CVE-2021-40444 and has a severity level of 8.8 out of 10.
However, in the default configuration of Microsoft Office, unknown documents are opened in Protected View or Application Guard mode. The former is a read-only mode and Application Guard isolates unknown documents, preventing them from accessing users’ systems. Within these modes, the vulnerability cannot be exploited. Windows Defender antivirus software and Windows Defender for Endpoint from build 1.349.22.0 also provide protection against the vulnerability. However, the vulnerability has not yet been patched in Windows itself.
Security researchers at Expmon indicate on Twitter that they found the vulnerability after detecting a “highly sophisticated zero-day attack” targeting Microsoft Office users. They managed to reproduce the attack on the most recent versions of Office 2019 and Office 365 on Windows 10.
Haifei Li of Expmon tells BleepingComputer that attackers are using an infected .docx file to exploit the vulnerability. When victims open it, the document loads the Internet Explorer engine to load a hacker’s external webpage. After that, malware is downloaded by using a specific ActiveX control in the web page. Expmon reported the vulnerability to Microsoft on Sunday.
The company has not yet implemented a security update for Windows. The next Patch Tuesday is scheduled for September 14, but it has not been confirmed that Microsoft will release a patch for this vulnerability. The tech giant does offer a workaround. Users can disable the installation of all ActiveX elements in Internet Explorer in the registry. The company provides instructions for this.