Security News > 2021 > September > Miscreants fling booby-trapped Office files at victims, no patch yet, says Microsoft

In an advisory issued on Tuesday, Microsoft said some of its users were targeted by poisoned Office documents that exploit an unpatched flaw to hijack their Windows machines.
Miscreants are seemingly placing a malicious ActiveX control in an Office document and convincing victims to open or view it, potentially achieving remote code execution.
"Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents."
It went on to say how others could also exploit the bug, for which no patch exists yet: "An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
"We have reproduced the attack on the latest Office 2019/Office 365 on Windows 10, for all affected versions please read the Microsoft Security Advisory," EXPMON said.
Microsoft is no doubt working on a patch though as a workaround, you can protect yourself further by disabling the installation of all ActiveX controls by altering the registry and rebooting.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/09/07/microsoft_office_zero_day/
Related news
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- February's Patch Tuesday sees Microsoft offer just 63 fixes (source)
- Microsoft’s Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- Microsoft launches ad-supported Office apps for Windows users (source)
- Microsoft tests ad-supported Office apps for Windows users (source)
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- Microsoft: New Windows scheduled task will launch Office apps faster (source)
- April 2025 Patch Tuesday forecast: More AI security introduced by Microsoft (source)