Security News > 2021 > September > Microsoft, CISA Urge Mitigations for Zero-Day RCE Flaw in Windows
Both Microsoft and federal cybersecurity officials are urging organizations to use mitigations to combat a zero-day remote control execution vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents.
Microsoft has not revealed much about the MSHTML bug, tracked as CVE-2021-40444, beyond that it is "Aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents," according to an advisory released Tuesday.
It's serious enough that the Cybersecurity and Infrastructure Security Agency released an advisory of its own alerting users and administrators to the vulnerability and recommending that they use the mitigations and workarounds Microsoft recommends.
The vulnerability allows an attacker to craft a malicious ActiveX control that can be used by a Microsoft Office document that hosts the browser rendering engine, according to Microsoft.
Though Microsoft is still investigating the vulnerability, it could prove to go beyond affecting just Microsoft Office documents due to the ubiquitous use of MSHTML on Windows, warned Jake Williams, co-founder and CTO at incident response firm BreachQuest.
Microsoft has offered some advice for organizations affected by the vulnerability-first discovered by Rick Cole of the Microsoft Security Response Center, Haifei Li of EXPMON, and Dhanesh Kizhakkinan, Bryce Abdo and Genwei Jiang of Mandiant-until it can offer its own security update.
News URL
https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/
Related news
- Week in review: Windows Event Log zero-day, exploited critical Jenkins RCE flaw (source)
- Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days (source)
- Microsoft: New critical Outlook RCE bug exploited as zero-day (source)
- CISA tags Microsoft SharePoint RCE bug as actively exploited (source)
- Microsoft is bringing the Linux sudo command to Windows Server (source)
- Microsoft unveils new 'Sudo for Windows' feature in Windows 11 (source)
- Microsoft fixes Copilot issue blocking Windows 11 upgrades (source)
- New Fortinet RCE bug is actively exploited, CISA confirms (source)
- Microsoft Introduces Linux-Like 'sudo' Command to Windows 11 (source)
- Microsoft tests Windows 11 ‘Super Resolution’ AI-upscaling for gamers (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-09-15 | CVE-2021-40444 | Path Traversal vulnerability in Microsoft products <p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. | 8.8 |