UPDATE: Sept. 10, 2021: The workaround Microsoft developed to combat the CVE-2021-40444 vulnerability, is not working in all cases, according to researchers from Huntress Labs. Huntress officials cited security researcher Rich Warren, who validated the attack in Windows Explorer with "preview mode" enabled.
"Without a patch available, and without effective mitigation strategies, things certainly look grave," John Hammond, senior security researcher at Huntress said. "Organizations should remain vigilant and do their best to avoid DOCX, RTF and PPTX files from unknown locations for the time being. As we know, prevention efforts are not the end-all, be-all — the community is working hard to prepare detection techniques and methodologies to hunt for this threat."
- Bad actors are leveraging a MSHTML zero-day remote execution vulnerability in an attempt to exploit "specially-crafted Microsoft Office documents," Microsoft said in a security alert. The company gave the bug an 8.8 on its Common Vulnerability Scoring System (CVSS), which just misses the threshold for critical, according to the National Institute of Standards and Technology (NIST).
- Microsoft issued mitigations for CVE-2021-40444, which impacts Microsoft Windows, according to the alert. Attackers can "craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine" and then work to "convince" their target to open a malicious document.
- Because Office documents open in Protected View or Application Guard from the internet, the attack should be preventable. While customers with automatic updates do not have to issue mitigations, enterprise customers managing updates need the detection build 1.349.22.0 or newer, the company said.
Researchers from EXPMON submitted their findings to Microsoft Sunday, and have already detected exploitation. Microsoft might issue more updates in the monthly release process as the investigation proceeds, the company said.
The company recommends updating antivirus software, but said Microsoft Defender Endpoint alerts will appear as "Suspicious Cpl File Execution" for the vulnerability.
The Cybersecurity and Infrastructure Security Agency (CISA) echoed Microsoft's workarounds to avoid the vulnerability, which include uninstalling Internet Explorer's ActiveX controls. This is a temporary fix until a patch is developed.
Microsoft detailed the proper way to disable ActiveX controls, but "if you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system," the company said.
On Tuesday, researchers from EXPMON cautioned Windows users to be skeptical of Office files as there is currently no patch available. "Do not open if [you do] not fully trust the source," the company tweeted.
EXPMON was among the researchers, along with Mandiant, to detect the bug. EXPMON was able to reproduce the attack successfully on the latest Office 2019 and Office 365 on Windows 10 versions. They concluded "the exploit uses logical flaws so the exploitation is perfectly reliable," for hackers to use, the company said.