Microsoft has received reports of a remote code execution (RCE) vulnerability (CVE-2021-40444) hackers are actively exploiting. The attack uses maliciously crafted Microsoft Office files that open an ActiveX control using the MSHTML browser rendering engine. Vulnerable systems include Windows Server 2008 through 2019 and Windows 7 through 10.
Expmon, one of several security firms that reported the zero-day exploit, told BleepingComputer the attack method is 100-percent reliable making it very dangerous. Once a user opens the document, it loads malware from a remote source. Expmon tweeted that users should not open any Office documents unless they are from an entirely trusted source.
EXPMON system detected a highly sophisticated #ZERO-DAY ATTACK ITW targeting #Microsoft #Office users! At this moment, since there’s no patch, we strongly recommend that Office users be extremely cautious about Office files – DO NOT OPEN if not fully trust the source!
— EXPMON (@EXPMON_) September 7, 2021
The file that Expmon discovered was a Word document (.docx), but Microsoft did not indicate that the exploit was limited to Word files. Any document that can call on MSHTML is a potential vector. Microsoft does not have a fix for the security hole yet, but it does list some mitigation methods in the bug report.
Aside from being cautious when opening Office documents, running Microsoft Office in its default configuration opens files in Protected View mode, which mitigates the attack (Application Guard in Office 360). Additionally, Microsoft Defender Antivirus and Defender for Endpoint prevent the exploit from executing.
Microsoft also says that users can disable the installation of all ActiveX controls in Internet Explorer. This workaround requires a registry file (.reg), which users can find in the bug report. Executing the REG file transfers the new entries to the Windows registry. A reboot is required for the settings to take effect.