Microsoft has issued a warning that hackers are actively exploiting a remote code execution vulnerability that uses Office files to lead to malicious code. Vulnerability CVE-2021-40444 affects Windows Server versions from 2008 and Windows 7 to 10.
Hackers can send targeted victims an Office file and trick them into opening the file; This file will automatically open Internet Explorer and download the hacker’s website containing the ActiveX driver, then download the malicious code to the victim’s computer.
Some security researchers have reported this vulnerability to Microsoft.
One of them, Haifei Li from EXPMON, told BleepingComputer that this method is 100% accurate – the victim only needs to open the file containing the path and the computer will be infected with malicious code.
In Li’s case, the attack they encountered used a .DOCX file. Microsoft has not released a security patch for this vulnerability, but it has some mitigations to prevent computers from being infected with malicious code.
Microsoft says that both Microsoft Defender Antivirus and Microsoft Defender for Endpoint can detect vulnerabilities and prevent malware infections, so users need to keep them updated and running.
The company also recommends that users disable all ActiveX controls in Internet Explorer. The Microsoft security warning contains information on how to do this, including updating the Internet Explorer registry and restarting the computer.
Tung Phong (Translation from Engadget)