New Windows Office 0 Day Rce Vulnerability

Microsoft released a security advisory earlier today for a new Remote Code Execution Vulnerability in MSHTML (CVE-2021-40444) that affects all current Windows versions discovered by security researchers from Mandiant and EXPMON. According to Microsoft, this vulnerability is currently being exploited in multiple targeted attacks. Details regarding the vulnerability and who is being targeted are still unavailable, but Microsoft is expected to release a patch next week. Though details are still pending, based on what we do know of the vulnerability, we can probably assume the current attack is a targeted phishing campaign. MSHTML, also known as Trident (software), is a browser engine used to render HTML in multiple Microsoft products, such as Office or Skype, and is also available as a DLL (mshtml.dll) that developer of other applications (such as early versions of Steam) can use. An attacker can craft a malicious ActiveX control and embed it in an Office document to exploit CVE-2021-40444. The target user must then open the malicious document for the exploit to run. The user must also either modify the default behavior of Office, which is to open documents in Protected View, or specifically allow ActiveX controls by clicking on a warning dialog box that opens when the document is opened.

According to Microsoft, the latest versions of Microsoft Defender Antivirus and Microsoft Defender for Endpoint both include detection and protections for CVE-2021-40444. Microsoft also recommends disabling installation of all ActiveX controls as a workaround until a patch is made available. Read the full advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 for details.

References: