Security News > 2021 > September > Miscreants fling booby-trapped Office files at victims, no patch yet, says Microsoft
In an advisory issued on Tuesday, Microsoft said some of its users were targeted by poisoned Office documents that exploit an unpatched flaw to hijack their Windows machines.
Miscreants are seemingly placing a malicious ActiveX control in an Office document and convincing victims to open or view it, potentially achieving remote code execution.
"Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents."
It went on to say how others could also exploit the bug, for which no patch exists yet: "An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
"We have reproduced the attack on the latest Office 2019/Office 365 on Windows 10, for all affected versions please read the Microsoft Security Advisory," EXPMON said.
Microsoft is no doubt working on a patch though as a workaround, you can protect yourself further by disabling the installation of all ActiveX controls by altering the registry and rebooting.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/09/07/microsoft_office_zero_day/
Related news
- Microsoft Warns of Unpatched Office Vulnerability Leading to Data Exposure (source)
- Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited (source)
- Microsoft Office 2024 to disable ActiveX controls by default (source)
- Microsoft Is Disabling Default ActiveX Controls in Office 2024 to Improve Security (source)
- Microsoft September 2024 Patch Tuesday fixes 4 zero-days, 79 flaws (source)
- Patch Tuesday for September 2024: Microsoft Catches Four Zero-Day Vulnerabilities (source)
- Microsoft rolls out Office LTSC 2024 for Windows and Mac (source)
- Microsoft confirms IE bug squashed in Patch Tuesday was exploited zero-day (source)
- Microsoft Office 2024 now available for Windows and macOS users (source)