Date: Sept 8, 2021
Impacted Applications: Internet Explorer, Office
Microsoft has announced a Zero Day (a vulnerability that is known, but a fix is not in place yet) warning customers that it has been confirmed – criminals are actively exploiting the vulnerability in cyber-attacks. This vulnerability is being tracked as: CVE-2021-40444
- This vulnerability, when exploited allows attackers to take control of a desktop or server when Users open a malicious Microsoft Office document or visit a ‘booby trapped’ website.
- In a security advisory released, Microsoft stated the following:
- “An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft wrote. “The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
- There is currently no patch available from Microsoft to fix the vulnerability.
- Independent security researchers have described the exploit as “reliable and dangerous.” It is expected that a patch will be released by Microsoft on their monthly ‘Patch Tuesday’ on September 14th.
- Although a fix is not available, Microsoft has provided the following temporary mitigation:
- All ActiveX Controls within Internet Explorer (IE) should be disabled to stop the ability to leverage the exploit.
- Users should ensure all Microsoft systems are patched, up to date, and regularly check for updates over the next 14 days.
- It is recommended Users remain extra diligent when clicking links and opening attachments, as these can be used as attack methods for this vulnerability.
Microsoft Security Notice: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
Microsoft ActiveX Controls for IE: https://support.microsoft.com/en-us/windows/use-activex-controls-for-internet-explorer-11-25738d05-d357-39b4-eb2f-fdd074bbf347