Microsoft is warning customers about a newly identified vulnerability in the MSHTML component in Windows that attackers are actively exploiting in targeted attacks.
The vulnerability (CVE-2021-40444) affects most of the current versions of Windows and Windows Server and it does not require any privileges for exploitation. MIcrosoft has published some workarounds and mitigations for the bug, but there is no patch available yet.
“Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,” the advisory says.
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
This flaw looks like a prime target for spear phishing attacks, as an attacker could simply attach the malicious Office document to a crafted email and just wait for the victim to open it. Microsoft recommends a few workarounds to help defend against attacks on this vulnerability, including disabling ActiveX controls.
“Disabling the installation of all ActiveX controls in Internet Explorer mitigates this attack. This can be accomplished for all sites by updating the registry. Previously-installed ActiveX controls will continue to run, but do not expose this vulnerability,” the advisory says.
The good news is that there are some default protections in Windows tha mitigate this vulnerability. The default behavior for Microsoft Office is to open documents from the Internet in Protected View, which prevents the currently known attack from succeeding.
Microsoft’s next scheduled patch release is Sept. 14, but the company could release an out-of-band patch before then.