Security News > 2021 > September > Miscreants fling booby-trapped Office files at victims, no patch yet, says Microsoft

In an advisory issued on Tuesday, Microsoft said some of its users were targeted by poisoned Office documents that exploit an unpatched flaw to hijack their Windows machines.

Miscreants are seemingly placing a malicious ActiveX control in an Office document and convincing victims to open or view it, potentially achieving remote code execution.

"Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents."

It went on to say how others could also exploit the bug, for which no patch exists yet: "An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

"We have reproduced the attack on the latest Office 2019/Office 365 on Windows 10, for all affected versions please read the Microsoft Security Advisory," EXPMON said.

Microsoft is no doubt working on a patch though as a workaround, you can protect yourself further by disabling the installation of all ActiveX controls by altering the registry and rebooting.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/09/07/microsoft_office_zero_day/