Microsoft has reported a zero-day vulnerability, designated CVE-2021-40444, whose exploitation enables remote execution of malicious code on victims’ computers. Worse, cybercriminals are already using the vulnerability to attack Microsoft Office users. Therefore, Microsoft is advising Windows network administrators to employ a temporary workaround until the company can deploy a patch.
The vulnerability is in MSHTML, Internet Explorer’s engine. Although few people use IE these days (even Microsoft strongly recommends switching to its newer browser, Edge), the old browser remains a component of modern operating systems, and some other programs use its engine to handle Web content. In particular, Microsoft Office applications such as Word and PowerPoint rely on it.
How attackers are exploiting CVE-2021-40444
The attacks appear as embedded malicious ActiveX controls in Microsoft Office documents. The controls enable the execution of arbitrary code; the documents most likely arrive as e-mail message attachments. As with any attached document, attackers have to persuade victims— to open the file.
In theory, Microsoft Office handles documents received over the Internet in Protected View or through Application Guard for Office, either of which can prevent a CVE-2021-40444 attack. However, users may click the Enable Editing button without pausing to think, thus disarming Microsoft’s security mechanisms.
How to protect your company from CVE-2021-40444
Microsoft has promised to investigate and, if necessary, release an official patch. That said, we do not expect a patch before September 14, the next Patch Tuesday. Under normal circumstances, the company would not announce a vulnerability before the release of a fix, but because cybercriminals are already exploiting CVE-2021-40444, Microsoft recommends employing a temporary workaround immediately.
The workaround involves prohibiting the installation of new ActiveX controls, which you can do by adding a few keys to the system registry. Microsoft provides detailed information on the vulnerability, including a Workarounds section (in which you can also learn how to disable the workaround once you no longer need it). According to Microsoft, the workaround should not affect the performance of ActiveX controls already installed.
For our part, we recommend:
- Installing a security solution at the corporate mail gateway level or enhancing Microsoft Office 365's standard security mechanisms to protect corporate mail from attacks;
- Equipping all employee computers with security solutions capable of detecting vulnerability exploitation;
- Raising employee awareness of modern cyberthreats on a regular basis, and in particular, reminding them never to open documents from untrusted sources, much less turn on editing mode unless absolutely necessary.