Microsoft Office Zero-Day Hit in Targeted Attacks

Microsoft’s embattled security response unit is scrambling to deal with another zero-day attack hitting users of its flagship Microsoft Office software suite.

The Redmond, Wash. software giant issued an urgent pre-patch advisory Tuesday to warn of a remote code execution vulnerability in MSHTML, the proprietary browsing engine built into the Office productivity suite.

“Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,” the company said bluntly.

As is customary, Redmond’s security response team did not provide additional details of the live attacks but there are enough clues in the attribution section of the advisory to suggest this is the work of nation-state APT actors.

Microsoft credited four different external researchers with reporting this exploit. Three of the four are affiliated with Mandiant, an anti-malware forensics firm that regularly documents high-end targeted attacks.

The company described the attacks as “targeted,” code-speak for the types of Windows malware implants used for government cyber-espionage or corporate data theft.

From Microsoft’s advisory on the CVE-2021-40444 vulnerability: 

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: “Suspicious Cpl File Execution”.

The company is recommending that Windows fleet administrators disable the installation of all ActiveX controls in Internet Explorer to mitigate the attack.

“Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs,” the company said.

This is the 62nd confirmed zero-day attack documented so far in 2021. According to data tracked by SecurityWeek, 20 of the 62 zero-days targeted code from Microsoft.