Security News > 2021 > September > New 0-Day Attack Targeting Windows Users With Microsoft Office Documents
Microsoft on Tuesday warned of an actively exploited zero-day flaw impacting Internet Explorer that's being used to hijack vulnerable Windows systems by leveraging weaponized Office documents.
"Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents," the company said.
"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," it added.
EXPMON, in a tweet, noted it they found the vulnerability after detecting a "Highly sophisticated zero-day attack" aimed at Microsoft Office users, adding it passed on its findings to Microsoft on Sunday.
It's worth noting that the current attack can be suppressed if Microsoft Office is run with default configurations, wherein documents downloaded from the web are opened in Protected View or Application Guard for Office, which is designed to prevent untrusted files from accessing trusted resources in the compromised system.
Microsoft, upon completion of the investigation, is expected to either release a security update as part of its Patch Tuesday monthly release cycle or issue an out-of-band patch "Depending on customer needs." In the interim, the Windows maker is urging users and organizations to disable all ActiveX controls in Internet Explorer to mitigate any potential attack.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/8XfTlHB1Kh8/new-0-day-attack-targeting-windows.html
Related news
- Microsoft Office 2024 now available for Windows and macOS users (source)
- Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack (source)
- Microsoft rolls out Office LTSC 2024 for Windows and Mac (source)
- Microsoft Is Disabling Default ActiveX Controls in Office 2024 to Improve Security (source)
- Microsoft to start force-upgrading Windows 22H2 systems next month (source)
- Microsoft fixes Windows Smart App Control zero-day exploited since 2018 (source)
- Microsoft fixes Windows Server performance issues from August updates (source)
- Microsoft Issues Patches for 79 Flaws, Including 3 Actively Exploited Windows Flaws (source)
- Week in review: Veeam Backup & Replication RCE could soon be exploited, Microsoft fixes 4 0-days (source)
- Windows vulnerability abused braille “spaces” in zero-day attacks (source)