On 7th September, Microsoft warned its users of the CVE-2021-40444 (CVSS score: 8.8) 0-day flaw in Internet Explorer and attackers targeting victims with weaponized MS Office documents. Exploiters are using this flaw to make users grant access to malicious pages inside Office docs which results in taking over their Windows systems.
This tracked remote code is rooted in MSHTML, which is also called Trident. Trident is the browser engine of Internet Explorer, which has been discontinued. At present, Microsoft uses Trident to integrate web content links in PowerPoint, Word, and Excel documents.
According to Microsoft, the remote code vulnerability in Trident (MSHTML) is currently under investigation. The company has also mentioned it is fully aware that the attackers are actively using Microsoft Office documents that exploit this flaw in the wild.
According to Microsoft, an attack involves creating a specially crafted ActiveX control for a Microsoft Office document that uses MSHTML:
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document.”
To avoid this digital risk to privacy, users can configure their system to have minimal user rights.
Windows credited EXPMON and Mandiant researchers for bringing this flaw to light. However, they did not reveal any information on the attackers’ identities, the type of attacks, and their possible targets.
Expmon tweeted that it found a vulnerable and “highly sophisticated zero-day attack” on Microsoft users. They went on to reveal it to the company on 5th September. They also mentioned in their tweet that the exploit uses logical flaws.
Users can run their systems with default configurations to prevent exploitation. Microsoft may issue a fix in its Patch Tuesday monthly release or initiate an out-of-band patch.
For now, Microsoft advised users and organizations to disable all ActiveX controls in IE.