Top News in Cyber Defence

Microsoft Announces ‘Zero Day’ Vulnerability for Internet Explorer

Date: Sept 8, 2021

Impacted Applications: Internet Explorer, Office

Rating: CRITICAL

Microsoft has announced a Zero Day (a vulnerability that is known, but a fix is not in place yet) warning customers that it has been confirmed – criminals are actively exploiting the vulnerability in cyber-attacks. This vulnerability is being tracked as: CVE-2021-40444

Key Details:

  • This vulnerability, when exploited allows attackers to take control of a desktop or server when Users open a malicious Microsoft Office document or visit a ‘booby trapped’ website.
  • In a security advisory released, Microsoft stated the following:
    • “An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft wrote. “The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
  • There is currently no patch available from Microsoft to fix the vulnerability.
    • Independent security researchers have described the exploit as “reliable and dangerous.” It is expected that a patch will be released by Microsoft on their monthly ‘Patch Tuesday’ on September 14th.

Next Steps:

  • Although a fix is not available, Microsoft has provided the following temporary mitigation:
    • All ActiveX Controls within Internet Explorer (IE) should be disabled to stop the ability to leverage the exploit.
  • Users should ensure all Microsoft systems are patched, up to date, and regularly check for updates over the next 14 days.
  • It is recommended Users remain extra diligent when clicking links and opening attachments, as these can be used as attack methods for this vulnerability.

References:

Microsoft Security Notice: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
Microsoft ActiveX Controls for IE: https://support.microsoft.com/en-us/windows/use-activex-controls-for-internet-explorer-11-25738d05-d357-39b4-eb2f-fdd074bbf347

Would you like more information on this topic?

Work With Us.

  •  

Robert D. Stewart

Founder & Head, Strategic Threat Intelligence

Robert is a technology incident and crisis management specialist with over 3200 hours leading critical recoveries and investigations within regulated industries.

Robert has built cyber incident and global crisis processes for the Fusion Centres of two major North American banks. With an extensive focus on operational resiliency, Robert worked as a Global Crisis Management Specialist, leading the technical migration for the pandemic for a multi-national financial institution.

Robert is a threat intelligence specialist focused on preventing large scale incidents and attacks before they happen, with unparalleled experience in incident response: 650 critical incidents within the global financial sector leading to the recovery of over 250 unique global financial systems, with 6000 executive communications and briefings issued, and over 200 post-incident reviews.