An actively exploited zero-day flaw Tracked as CVE-2021-40444 (CVSS score: 8.8), has been discovered to be impacting Internet Explorer. The remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.
The company making a statement said “Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.”
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” it added.
Researchers from EXPMON and Mandiant have been credited for reporting the flaw, although additional specifics about the nature of the attacks was not disclosed nor the the identity of the adversaries exploiting this zero-day, or their targets in light of real-world attacks.
EXPMON, in a tweet, noted it found the vulnerability after detecting a “highly sophisticated zero-day attack” aimed at Microsoft Office users, adding it passed on its findings to Microsoft on Sunday. “The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous),” EXPMON researchers said.
However, it’s worth pointing out that the current attack can be suppressed if Microsoft Office is run with default configurations, wherein documents downloaded from the web are opened in Protected View or Application Guard for Office, which is designed to prevent untrusted files from accessing trusted resources in the compromised system.
A security update as part of its Patch Tuesday monthly release cycle is expected from Microsoft upon completion of the investigation or issue an out-of-band patch “depending on customer needs”. Windows users are urged to disable all ActiveX controls in Internet Explorer to mitigate any potential attack.