September 8, 2021

Microsoft Corp. warns that attackers are exploiting a previously unknown vulnerability in Windows 10 and many Windows Server versions to seize control over PCs when users open a malicious document or visit a booby-trapped website. There is currently no official patch for the flaw, but Microsoft has released recommendations for mitigating the threat.

According to a security advisory from Redmond, the security hole CVE-2021-40444 affects the “MSHTML” component of Internet Explorer (IE) on Windows 10 and many Windows Server versions. IE been slowly abandoned for more recent Windows browsers like Edge, but the same vulnerable component also is used by Microsoft Office applications for rendering web-based content.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft wrote. “The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Microsoft has not yet released a patch for CVE-2021-40444, but says users can mitigate the threat from this flaw by disabling the installation of all ActiveX controls in IE. Microsoft says the vulnerability is currently being used in targeted attacks, although its advisory credits three different entities with reporting the flaw.

On of the researchers credited — EXPMONsaid on Twitter that it had reproduced the attack on the latest Office 2019 / Office 365 on Windows 10.

“The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous),” EXPMON tweeted.

Windows users could see an official fix for the bug as soon as September 14, when Microsoft is slated to release its monthly “Patch Tuesday” bundle of security updates.

This year has been a tough one for Windows users and so-called “zero day” threats, which refers to vulnerabilities that are not patched by current versions of the software in question, and are being actively exploited to break into vulnerable computers.

Virtually every month in 2021 so far, Microsoft has been forced to respond to zero-day threats targeting huge swaths of its user base. In fact, by my count May was the only month so far this year that Microsoft didn’t release a patch to fix at least one zero-day attack in Windows or supported software.

Many of those zero-days involve older Microsoft technologies or those that have been retired, like IE11; Microsoft officially retired support for Microsoft Office 365 apps and services on IE11 last month. In July, Microsoft rushed out a fix for the Print Nightmare vulnerability that was present in every supported version of Windows, only to see the patch cause problems for a number of Windows users.

On June’s Patch Tuesday, Microsoft addressed six zero-day security holes. And of course in March, hundreds of thousands of organizations running Microsoft Exchange email servers found those systems compromised with backdoors thanks to four zero-day flaws in Exchange.


29 thoughts on “Microsoft: Attackers Exploiting Windows Zero-Day Flaw

  1. Dave

    This is only a CVS 7.9 because it pops the “protected view” dialogue. Users never click that!!! πŸ˜€

  2. ReadandShare

    Not totally foolproof, but yet another reason to sign in as ‘standard’ user.

  3. CaptObvious

    Just implement, at least, the first 5 CIS Controls(v7.1) which will protect/solve 90% + of these vulnerabilities.

  4. Lora mullins

    Don’t know if qualifies as what this reports says but my email accounts by Microsoft was scammed in the name of Amazon which demanded 8.99 a month payment for firestick programming package of Prime and Netflix, I said no I got an email saying they would lose my Amazon purchasing account if I didn’t reinstall the firestick program I said go ahead no problem , they did , then i got a gazillion email from then all in the name of Amazon I got mad and blocked them,, they sent a email to all my friends asking for 200.00 saying I bought something I couldn’t pay for, luckily I had time to email my friends not to send money because thats extortion, then all my email accounts were closed, I filed a complaint with FCC, FTC. BBB. CONSUMER PROTECTIONGROUP, SAMSUNG,MICROSOFT, FRAUD DEPT IN COLORADO, GOOLE. NO RESPONCES, NOONE CARES, so just my bad luck, what a disgrace

    1. Nobby Nobbs

      Sorry, Lora, I’m afraid that was scams all the way down.

  5. monke

    “zero-day” sounds like some kind of marketting mumbo jumbo designed to make us freak out without actually explaining anything about the bug itself (e.g. what does it do, how serious is it, can we do anything other than wait for a patch, etc). What does “zero-day security bug” tell us that isn’t already explained by simply referring to it as a “security bug”? Is there such a thing as a 42-day bug??

    1. not Brian

      The explanation in the article seems clear:
      “This year has been a tough one for Windows users and so-called β€œzero day” threats, which refers to vulnerabilities that are not patched by current versions of the software in question, and are being actively exploited to break into vulnerable computers.”

      Many “security bugs” have patches, updates available and are not as scary. They shouldn’t be. Also there are lots of “security bugs” that do not have an exploit and/or are not being exploited in the wild. Vendors get bug reports, and quietly fix them before their known to the public.

      It’s this contrast that does show why “zero day” should be particularly frightening. It’s not marketing, it’s a call to arms. The mongols have breached the gates.

  6. Nobby Nobbs

    I use LibreOffice (with scripting disabled) and Firefox (NoScript by default).

    So, for me ActiveX is ONLY a detriment. Is there a way I can eliminate ActiveX? Expunge it completely from my system? (I can dual-boot into Linux, but, games!)

    Also, thanks again for the cogent summary, Brian.

    1. Jordan

      Ohhhhhh.. how did you disable scripts in Libre office?! Been looking to do this!

      1. RobG

        >how did you disable scripts in Libre office? <

        Paste the following into your favourite search engine….

        "disable scripts in libra office"

  7. bob slydell

    At Innatek, to avoid zero days the bobs and i implemented pencils, paper, facts, reason, logic. For some gosh darn reason, the millennials and zoomers just quit?!! Glad automation and ccp are on track for roll out. Darn tootin, no more crying and smart alecky responses from young whippers snappers anymore!!

  8. lawrence

    just making sure you got your TPS reports.. triple post excuse.

    1. Bob the Intern

      So we’re putting new cover sheets on the TPS reports now. Did you get the memo?
      Yeah… I’m going to go ahead and forward you another copy of that memo. If you could make sure to do those cover sheets for the TPS reports, that’d be great!

      1. but thats my stapler

        while you’re at it… gonna need you to come in this weekend… okay.. good talk.

  9. vb

    This is a pretty low bar: “…convince the user to open the malicious document…” Even in “Protected View” most people can be convinced to “Enable Editing” because the document tells them to and tells them how. Microsoft was not written to be “idiot proof”.

  10. Jim

    Yes sir, Redmond curse was hyped to end such wounds. My 7 pro is just fine.

  11. Microsoft Marketing Buzzword

    Why is this even news.
    Yes you can abuse ActiveX controls in word to execute code, is this not common knowledge as is macros?
    There are a thousand ways to do this on Windows, and there always will be.
    There are hundreds of ways to do this on Chrome-os, and there always will be.
    this is just a pretty looking marketing buzzword to try and grift more cloud 365 enrollments to their “Zero Trust” (aka Buy more SaaS from MS).
    They have been playing these same games since the late 90’s

  12. Alex Mondale

    It’s humorous to me how poorly written and ancient MS articles are in describing exactly to disable ActiveX capabilities that are documented to exist in their Office line of products, i.e., https://docs.microsoft.com/en-us/previous-versions/office/office-2010/cc179076(v=office.14)?redirectedfrom=MSDN … I mean, c’mon, where’s the beef??!

    If you give me ten years to find vulnerabilities in a 15-20 year old technology that still is required by 2021 software, I would think it wouldn’t be too tough a challenge!

    1. Alex Mondale

      Please be careful when you unkill the kill bit (may turn into the “Kill Bill Bit” :))

      From the above 10-year-old article on ActiveX controls (yeah, back when IE ruled!):

      Warning

      We do not recommend unkilling (undoing the kill action on) a COM object. If you do this, you might create security vulnerabilities. The kill bit is typically set for a reason that might be critical, and because of this, extreme care must be used when you unkill an ActiveX control.

  13. Alex Mondale

    The mysterious “kill bill” bit:

    Warning

    We do not recommend unkilling (undoing the kill action on) a COM object. If you do this, you might create security vulnerabilities. The kill bit is typically set for a reason that might be critical, and because of this, extreme care must be used when you unkill an ActiveX control.
    A

  14. muffin

    For us non-IT people, should we just disable IE11 in Windows 10?

  15. TweakUI fan

    Set .mhtml to open with Notepad as default five years ago after seeing malware attempts in spam folder attachments using this extension. Switching it to Notepad has only very rarely caused problems. A few HP printers’ software fails, but other than that, no issues.

Comments are closed.