A flaw discovered in Microsoft Windows could allow remote takeover, and it's already been exploited in the wild.
In coordinated advisories Tuesday, the Cybersecurity and Infrastructure Security Agency and Microsoft urged users to follow mitigation steps, which are particularly important because a patch is not yet available. The Microsoft MSHTML remote code execution vulnerability, tracked as CVE-2021-40444, rated 8.8 out of 10 on the common vulnerability scoring system and affects Microsoft Windows. The target of the attack is Windows users' Office documents.
MSHTML is part of Windows Internet Explorer but can also be used for other applications such as ActiveX, which is affected by this flaw. Turning off ActiveX controls in Internet Explorer is one mitigation step Microsoft offered. According to the Microsoft advisory, attack complexity is low, but no privileges are required to execute.
"Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially crafted Microsoft Office documents," the Microsoft advisory said. "An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine."
While malicious documents can be sent, the real danger occurs only if the user opens it. Therefore, awareness is important -- particularly in enterprises where documents are shared regularly. However, Microsoft said not all users share the same level of risk.
"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," the advisory said.
Along with Microsoft, the tech giant credits Mandiant and exploit detection platform Expmon for discovery. Expmon shared on Twitter details of finding the flaw, which it reported to Microsoft on Sunday. Expmon said it reproduced the attack on the latest Office 2019 and Office 365 environments on Windows 10.
— EXPMON (@EXPMON_) September 7, 2021
EXPMON system detected a highly sophisticated #ZERO-DAY ATTACK ITW targeting #Microsoft #Office users! At this moment, since there's no patch, we strongly recommend that Office users be extremely cautious about Office files - DO NOT OPEN if not fully trust the source!
While reports of in the wild exploitation have been made, the scope of impact remains unclear. In an email to SearchSecurity, Microsoft said it has identified a limited number of targeted attacks.
No timeline was provided on when the patch will be released, but mitigation efforts include disabling the installation of all ActiveX controls in Internet Explorer, which Microsoft said can be accomplished for all sites by updating the registry.
Additional actions may be taken when Microsoft completes its investigation, including monthly security updates.