Cyber Security News

Unpatched Windows 0-Day Bug Attacking Users Using MS Office Documents

As per the Microsoft investigation report, Remote code execution vulnerability in MSHTML affects Microsoft Windows. About the targeted attack Microsoft knows, they try to exploit the vulnerability by using specially crafted Microsoft Office documents.

The MSHTML is a browser rendering engine that allows the Microsoft Internet Explorer Web browser to read and display HTML Web pages.

An Attacker can craft the Microsoft Office document to control the malicious ActiveX, and host the browser that rendering the engine. First, the attacker has to convince the user for opening the malicious documents. User accounts have to be configured in the system so that users can get administrative rights quickly.

Microsoft assigned a CVE-2021-40444 for this MSHTML Remote Code Execution Vulnerability and marked it as a high severity vulnerability with the  8.8/10 impact level.

“Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.”

Soon after the specific ActiveX control will drop the malware onto the victim’s device which is called by Microsoft as “: “Suspicious Cpl File Execution”.

EXPMON is able to reproduce the attack on the latest Office 2019 / Office 365 on Windows 10 in the normal user environment.

Microsoft Defender Endpoint and Antivirus both provide the detection and protection against the vulnerability. The customer has to make sure that he keeps all the antimalware products up to date. Customers have to utilize the automatic updates, which do not need additional action every enterprise customer who can manage the updates, needs to select the detection by building 1.349.22.0. Microsoft defender endpoint alerts by displaying “Suspicious Cpl File Execution”.

After the investigation completion, Microsoft takes action to protect their valuable customers. This also includes the security update related to the monthly release of an out-of-cycle security update. Of course, everything depends on the customer’s needs.

Here mitigation and workaround section has been discussed so that user can protect their system from this vulnerability.

By Default Action:

Microsoft Office always opens the documents as an application guard for the office to prevent the current attacks.

ActiveX controls:

  • It disables the ActiveX installation where the internet Explorer gets the mitigate attack. This is accomplished by the sites which run continuously but do not expose the vulnerability.
  • Double-click the .reg file to apply it to your Policy hive.
  • Reboot the system to ensure the new configuration is applied.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

The above information all are Microsoft knowledge-based and without warranty. Microsoft disclaimed all warranties for a particular purpose. Some states provide its limitation for some incidental damage.

Follow us on LinkedinTwitterFacebook for daily Cybersecurity News & Updates


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

Defend Ransomware Attacks With Top Effective Proactive Measures in 2024

We're currently living in an age where digital threats loom large. Among these, ransomware has…

48 mins ago

GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability

Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…

17 hours ago

Cybercriminals are Showing Hesitation to Utilize AI When Executing Cyber Attacks

Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…

18 hours ago

Vigil: Open-source Security Scanner for LLM Models Like ChatGPT

An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…

19 hours ago

Slovenia’s Biggest Power Provider has Suffered a Cyberattack

One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…

19 hours ago

Genesis Market Technique: Hackers Exploited Node.js and EV Certificates

In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered…

21 hours ago