• Remote code execution vulnerability targets Microsoft Office document users
  • The attackers use a specially crafted Office document to launch the attack
  • Microsoft recommends that customers use an updated version of antimalware

Hackers are now using specially crafted Microsoft Office documents to launch an attack through actively exploited zero-day vulnerability, a recent report said.

Microsoft has alerted Office users that threat actors could take advantage of zero-day vulnerability tracked as CVE-2021-40444 and use it to hijack Windows systems. The software giant said specially crafted Microsoft Office documents are used to launch the attack, The Hacker News reported.

In a security update published on its website on Sept. 7, Microsoft said it is aware of the presence of remote code execution vulnerability in MSHTML affecting Microsoft Windows, and said that it is currently investigating the reports.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft said. “The attacker would then have to convince the user to open the malicious document,” the software giant added.

Microsoft said Rick Cole, from Microsoft Security Response Center, Haifei Li, from EXPMON, Dhanesh Kizhakkinan, Bryce Abdo and Genwei Jiang of Mandiant first discovered the vulnerability, ZDNet reported.

In a Twitter update posted Sep. 8, EXPMON revealed the detection of a highly sophisticated attack. The researcher reminded users not to open any document if they do not fully trust the source. The post added that as there is still no patch available to fix the issue, Microsoft Office users should exercise extreme caution on Office files.

Microsoft also reminded customers to ensure that they are using an updated version of antimalware. The company recommends Enterprise users to use the detection build 1.349.22.0 or later version when managing updates.

For users with updated versions of antimalware, their devices will notify them upon detection of a potential attack. Microsoft devices will display the “Suspicious Cpl File Execution” alert once an attempted malicious attack is detected.

Microsoft Office users can suppress the attack with a few preventive measures. The default configurations of the Office should be set to open the files downloaded using the Protected View feature or the Application Guard for Office.

Microsoft assured its customers that it will take appropriate action once the software giant finishes the investigation. The action could come with the regular Patch Tuesday update. The company may also consider releasing an out-of-cycle security update.

Analysts see more cyberattacks coming without a concerted effort to improve security and prosecute hackers
Analysts see more cyberattacks coming without a concerted effort to improve security and prosecute hackers AFP / Damien MEYER