“Microsoft has warned Windows 10 users that a previously unknown, and therefore unpatched, security vulnerability is being exploited by cybercriminals. The zero-day is a high-rated vulnerability (falling just short of critical) that could allow an attacker to remotely execute code on the target computer and potentially gain complete control.
Additionally, Microsoft has confirmed that cybercriminals are known to be already exploiting CVE-2021-40444 and advises users to take speedy mitigation action until an official patch becomes available. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is following Microsoft’s lead and also “encourages users and administrators” to “implement the mitigations and workarounds.”
The latest Windows zero-day vulnerability explained
The vulnerability itself sits within the Internet Explorer browser rendering engine, MSHTML, which might sound like a good thing. After all, nobody uses Internet Explorer anymore, right? Wrong. Microsoft Office documents also use that rendering engine, and that’s where the attackers are aiming the exploit. The zero-day was reported to Microsoft on the morning of Sunday, 5 September, by a researcher at EXPMON. The exploitation detection company tweeted that Office users should be “extremely cautious” about files until a patch is made available.
Microsoft’s security update guide confirms the vulnerability is currently being exploited
MICROSOFTThe attackers are using Office documents that load MSHTML when opened to render a specially constructed malicious web page and employ an ActiveX control to download the malware payload. Users without administrator rights will be less impacted than those with greater privileges, of course.
“Although this attack does require user interaction,” Scott Caveza, a research engineering manager at Tenable, says, “threat actors are likely to target victim organizations with tailored emails or attempt to exploit current news events for a higher success rate.”
You can read a technical deep dive into multiple documents infected by this exploit here.”
