Microsoft Discovers Major Zero-Day Security Flaw

On the 7th of September Microsoft warned of an actively exploited zero-day flaw, with significant repercussions to a limited number of Windows and Office users. The breach allowed hackers to hijack vulnerable windows systems using malware-infected Office documents.

A Microsoft spokesperson stated that "Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents."

The vulnerability itself has been identified as CVE-2021-40444 and features a remote code execution zero-day that is embedded in MHSTML, allowing the attacker to create an ActiveX control that can communicate with Microsoft Office documents to infect them with malicious content.

Once the ActiveX control has been implemented, all the hackers must do is convince a user to open the corrupted file – something often done by massive scale phishing, usually disguising the action as an unpaid invoice or other documents that would require an urgent appraisal.

EXPMON, one of the initial whistle-blowers of the vulnerability, described the exploit as a ‘‘highly sophisticated zero-day attack’’ – and successfully reproduced it for research purposes on both Office 2019 and Office 365 suites for Windows 10, discovering that users with admin permissions were hit the hardest by the malware.

Microsoft has already stepped in with mitigation suggestions whilst they handle the problem. They currently recommend viewing all documents in protected view, or via Application Guard.