Microsoft warns of attacks with Office files
Microsoft warns of attacks with Office files

Microsoft has warned that attackers are actively using malicious Office 365 and Office 2019 files on Windows 10 to exploit remote code execution vulnerabilities.

The problem might be with MSHTML (the browser rendering engine that Office documents use).

The vulnerability known as CVE-2021-40444 affects Windows servers from Windows Server 2008 through Windows Server 2019, Windows 8.1 through Windows 10 and has a severity level of 8.8 (out of 10).

The software giant is aware of targeted attacks that try to exploit the vulnerability by sending specially prepared Office documents to potential victims.

The company said, attackers could create malicious ActiveX controls for use in Office documents hosting the browser's rendering engine. The attacker would then have to convince the user to open the malicious document.

However, if Office is running in its default configuration, the attack will be blocked because documents on the web are opened in Office 365 Protected View or application sandbox mode.

Protected View is a read-only mode in which most editing functions are disabled. Application Guard quarantines untrusted documents and prevents them from accessing corporate resources, intranets, or other system files.

Systems with Microsoft Defender Antivirus and Defender for Endpoint (version 1.349.22.0 and later) are protected against CVE-2021-40444.

The company's corporate security platform will display a warning about this attack titled "Suspicious Cpl File Execution".

Researchers from several cybersecurity companies discovered and reported the vulnerability: Hefei Lee from EXPMON, Kizakkinan from Denmark, Brice Abdo, Jinwe Jiang from Mandiant, and Rick Cole from Microsoft Security Intelligence.

Microsoft warns of attacks with Office files

EXPMON (Exploit Monitoring Tool) said in a tweet that it discovered the vulnerability after discovering a very sophisticated attack against Office users.

EXPMON researchers replicated the attack in the latest version of Office 2019 and Office 365 on Windows 10.

The attacker used a DOCX file and when the file was opened, it asked Internet Explorer to display a remote webpage from the threat's target.

Then use the ActiveX control specified in the webpage to download the malware. The threat is also implemented using a technology called Cpl File Execution, which is mentioned in Microsoft's Help.

Since there is currently no security update available. The company offers the following solutions: Disable the installation of all ActiveX controls in Internet Explorer.

Updating the Windows registry ensures that ActiveX is inactive for all sites while available ActiveX controls continue to run.

Previous Post Next Post