Skip to main content
close search
site logo
Dive Brief

Exploits underway for Microsoft zero day leveraging Office documents

Published Sept. 8, 2021 Updated Sept. 10, 2021
Samantha Schwartz's headshot
Samantha Schwartz Reporter
David Jones's headshot
Reporter
A lit Microsoft log seen above a group of people in shadow.
Jeenah Moon via Getty Images

UPDATE: Sept. 10, 2021: The workaround Microsoft developed to combat the CVE-2021-40444 vulnerability, is not working in all cases, according to researchers from Huntress Labs. Huntress officials cited security researcher Rich Warren, who validated the attack in Windows Explorer with "preview mode" enabled.

"Without a patch available, and without effective mitigation strategies, things certainly look grave," John Hammond, senior security researcher at Huntress said. "Organizations should remain vigilant and do their best to avoid DOCX, RTF and PPTX files from unknown locations for the time being. As we know, prevention efforts are not the end-all, be-all — the community is working hard to prepare detection techniques and methodologies to hunt for this threat."

Dive Brief:

  • Bad actors are leveraging a MSHTML zero-day remote execution vulnerability in an attempt to exploit "specially-crafted Microsoft Office documents," Microsoft said in a security alert. The company gave the bug an 8.8 on its Common Vulnerability Scoring System (CVSS), which just misses the threshold for critical, according to the National Institute of Standards and Technology (NIST).
  • Microsoft issued mitigations for CVE-2021-40444, which impacts Microsoft Windows, according to the alert. Attackers can "craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine" and then work to "convince" their target to open a malicious document.
  • Because Office documents open in Protected View or Application Guard from the internet, the attack should be preventable. While customers with automatic updates do not have to issue mitigations, enterprise customers managing updates need the detection build 1.349.22.0 or newer, the company said.

Dive Insight:

Researchers from EXPMON submitted their findings to Microsoft Sunday, and have already detected exploitation. Microsoft might issue more updates in the monthly release process as the investigation proceeds, the company said.

The company recommends updating antivirus software, but said Microsoft Defender Endpoint alerts will appear as "Suspicious Cpl File Execution" for the vulnerability.

The Cybersecurity and Infrastructure Security Agency (CISA) echoed Microsoft's workarounds to avoid the vulnerability, which include uninstalling Internet Explorer's ActiveX controls. This is a temporary fix until a patch is developed.

Microsoft detailed the proper way to disable ActiveX controls, but "if you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system," the company said.

On Tuesday, researchers from EXPMON cautioned Windows users to be skeptical of Office files as there is currently no patch available. "Do not open if [you do] not fully trust the source," the company tweeted.

EXPMON was among the researchers, along with Mandiant, to detect the bug. EXPMON was able to reproduce the attack successfully on the latest Office 2019 and Office 365 on Windows 10 versions. They concluded "the exploit uses logical flaws so the exploitation is perfectly reliable," for hackers to use, the company said.

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell