Microsoft has warned users of a remote code execution vulnerability in MSHTML that malicious actors can exploit to infect a target’s computer.
Hackers exploit this weakness by sending victims a Microsoft Office file that, once opened, directs the victim to the malicious actor’s website, which features an ActiveX control that downloads malware to the computer.
The vulnerability — CVE-2021-40444 — impacts Windows Server versions 2008 and onwards, as well as Windows 7 through Windows 10.
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft said.
“The attacker would then have to convince the user to open the malicious document.”
EXPMON system detected a highly sophisticated #ZERO-DAY ATTACK ITW targeting #Microsoft #Office users! At this moment, since there’s no patch, we strongly recommend that Office users be extremely cautious about Office files – DO NOT OPEN if not fully trust the source!
— EXPMON (@EXPMON_) September 7, 2021
Multiple cybersecurity investigators reported the vulnerability and exploit to Microsoft.
Haifei Li of EXPMON spoke to BleepingComputer and indicated that the method is entirely consistent — a victim only needs to open the malicious file for infection to occur.
The attack experienced by Li came in the form of a Microsoft Word document (.docx).
Microsoft has published mitigation steps to prevent infection via this exploit but has yet to provide a patch for the vulnerability, advising that users disable all ActiveX controls in Internet Explorer.
The tech company has emphasised the need to keep Microsoft Defender Antivirus and Microsoft Defender for Endpoint up to date as they can both detect and prevent infection via the vulnerability.