Mitigations Available for Latest Office Zero Day
There's no patch yet but Microsoft has released a workaround to mitigate the latest zero day, a vulnerability announced this week in WIndows 10 and Windows Server.
Administrators are encouraged to implement a workaround for a new zero day vulnerability in Microsoft Office that the company claims has been attempted to be exploited in targeted attacks.
In an advisory published on Tuesday, the company provided guidance to mitigate the bug, a remote code execution vulnerability (CVE-2021-40444) in MSHTML, that could be exploited through a rigged Office document. On Windows, Internet Explorer is based on the browser engine MSHTML, similar to how Safari and Chrome are based on WebKit.
While there isn't a patch available yet, organizations could apply a mitigation - ensuring that files are opened in Protected View or Application Guard for Office - or implement a workaround - disabling the installation of all ActiveX controls in Internet Explorer - to prevent exploitation.
To that end, Microsoft acknowledges that user accounts that are configured to have fewer user rights on the system may be less impacted than users who operate with administrative user rights.
According to Microsoft, an attacker could exploit the vulnerability by crafting a malicious ActiveX control that's used by a document that hosts the browser rendering engine. If and when a victim opens the file, the vulnerability could be exploited.
The company says it's still in the middle of investigating the vulnerability and that it may ultimately release a patch for it either during its usual monthly Patch Tuesday updates or an out-of-cycle security update.
While the CVSS 3.0 rating, 8.8, means the vulnerability is worth addressing, the fact that the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency also warned about it this week lends it some credence as well. CISA encouraged users to follow Microsoft’s guidance on Tuesday.
Realistically, as long as your organization has Office set up to open documents in Protected View or Application Guard, something that's largely done by default, the risk should be low. Disabling ActiveX and making the necessary registry changes - Microsoft gets into those further in its advisory - shouldn't be too much of a disruption either.
For those curious, Edge, Microsoft’s latest browser, isn’t affected by the issue; only Windows Server 2008 through 2019 and Windows 8.1 through 10, in which IE are still present, are.
Microsoft didn’t get into how widespread exploitation of the vulnerability, which was discovered by researchers with Mandiant and EXPMON, only that it was aware of attempted exploitation.