Microsoft Corp. warns that attackers exploit a previously unknown vulnerability in Windows 10 and a lot Windows server versions to take control of PCs when users open a malicious document or visit a tricked website. There is currently no official patch for the vulnerability, but Microsoft has released recommendations to mitigate the threat.
According to a security advisory from Redmond, the security vulnerability CVE-2021-40444 affects the “MSHTML” component of Internet Explorer (IE) on Windows 10 and a lot Windows server versions. IE was slowly phased out for newer Windows browsers like Edge, but the same vulnerable component is also used by Microsoft Office web content rendering applications.
“An attacker could create a malicious ActiveX control for use by a Microsoft Office document that hosts the browser rendering engine,” Microsoft wrote. “The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system might be less impacted than users who work with administrative user rights.
Microsoft has not yet released a patch for CVE-2021-40444, but claims that users can mitigate the threat of this flaw by disabling the installation of all ActiveX controls in IE. Microsoft says the vulnerability is currently being used in targeted attacks, although its review attributes the reporting of the vulnerability to three different entities.
One of the credited researchers – EXPMON – said on twitter that he had reproduced the attack on the latest Office 2019 / Office 365 on Windows 10.
“The exploit uses logical flaws, so the exploitation is perfectly reliable (and dangerous),” EXPMON tweeted.
Windows users could see an official fix for the bug as early as September 14, when Microsoft is expected to release its monthly patch Tuesday set of security updates.
This has been a tough year for Windows users and the so-called “zero-day” threats, which refer to vulnerabilities that are not patched by current versions of the software in question and are actively exploited to penetrate vulnerable computers. .
Virtually every month in 2021 so far, Microsoft has been forced to respond to zero-day threats targeting huge swathes of its user base. In fact, by my calculations, May has been the only month so far this year that Microsoft hasn’t released a patch to fix at least one zero-day attack in Windows or supported software.
Many of these zero days involve older or retired Microsoft technologies, such as IE11; Microsoft officially removed support for Microsoft Office 365 apps and services on IE11 last month. In July, Microsoft released a patch for the Print Nightmare vulnerability that was present in all supported versions of Windows, only to see the patch cause problems for a number of Windows users.
During Patch Tuesday in June, Microsoft fixed six zero-day security vulnerabilities. And of course, in March, hundreds of thousands of organizations Microsoft Exchange mail servers found these compromised systems with backdoors through four zero-day vulnerabilities in Exchange.