What’s Happening With This New Exploit?
According to Brian Krebs, the issue pops up with the MSHTML part of Internet Explorer. Unfortunately, it also affects Microsoft Office, as it uses the same component to render web-based content within Office documents.
Microsoft has the exploit listed as CVE-2021-40444, and the company hasn’t released a patch for it yet. Instead, the company suggests disabling the installation of all ActiveX controls in Internet Explorer to mitigate the risk of attack.
While that sounds great, the problem is that disabling the installation of all ActiveX controls in Internet Explorer requires messing around with the registry, which can cause severe issues if not done correctly. Microsoft has a guide on this page that shows you how to do it, but make sure you’re careful.
Microsoft wrote a post on the issue, saying, “An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
Research group EXPMON posted that it was able to reproduce the attack. “We have reproduced the attack on the latest Office 2019 / Office 365 on Windows 10 (typical user environment), for all affected versions please read the Microsoft Security Advisory. The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous),” it said on Twitter.
We could see an official fix for the exploit on September 14, 2021, when Microsoft is set to do its next “Patch Tuesday” update. In the meantime, you’ll need to be careful and disable the installation of ActiveX controls in Internet Explorer.