Microsoft acknowledges Windows zero-day vulnerability based on malicious Office files

Microsoft has acknowledged a new zero-day vulnerability in all versions of Windows that is currently being exploited by attackers. The company says that a remote code execution vulnerability has been found in MSHTML, which can be used to create malicious Microsoft Office documents (via Bleeping Computer).

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” the company explained.

The remote code execution vulnerability, under the identifier CVE-2021-40444, was discovered by researchers from different cybersecurity companies, including Microsoft Security Response Center, EXPMON, and Mandiant. The vulnerability, when exploited, impacts the Internet Explorer’s browser rendering engine MSHTML, which is also used to render browser-based content in Microsoft Office files on Windows.

The Redmond giant is already working on a fix and plans to release a security update on this month’s Patch Tuesday or through an out-of-band update. In the meantime, users can protect PCs by keeping antimalware products (i.e., Microsoft Defender Antivirus and Defender for Endpoint) up to date. The company also advises users to disable the installation of ActiveX controls in Internet Explorer to mitigate any potential attack. We invite you to check out Microsoft’s Security Advisory page for more information about these workarounds.