Microsoft Office Documents being exploited for a Zero-Day Attack against Windows Users

September 20, 2021
Microsoft Office Documents exploited Zero Day Attack Vulnerability Windows Users

Active exploitation of zero-day attacks was reported by Microsoft last Tuesday as it impacts Internet Explorer. The browser is used in hijacking Windows systems vulnerability by taking advantage of manipulated Microsoft Office documents. 

A zero-day attack refers to a problem wherein the victim has only learned about the flaw so that they have “zero days” left to fix it. It is an activity that hackers do to execute an attack before the victims have a chance to work on it. 

Designated as CVE-2021-40444 with a CVSS score of 8.8, this remote code execution flaw is fixed in MSHTML or Trident. It is an exclusive browser engine for Internet Explorer and is also operated in Microsoft Office applications in rendering web contents inside documents coming from Word, PowerPoint, and Excel. 

Microsoft stated that they are presently inspecting reports of a vulnerability in remote code execution, particularly in MSHTML, directly affecting Microsoft Windows. They also added that they are mindful of the targeted attacks attempting to exploit the said vulnerability with the use of some uniquely created Microsoft Office documents. 


A malicious ActiveX control could also be constructed by the threat actors to utilise a Microsoft Office document to host the browser’s rendering engine.


Afterward, the threat actor will persuade the victim to access the malicious document. Suppose a user account is configured to own inferior user rights. In that case, their system will most likely be less impacted by the attack than those with higher administrative user rights. 

Researchers from EXPMON and Mandiant have been credited by Microsoft for escalating the flaw. However, they did not reveal more details about the attacks, their identity, and their target victims. 

From a tweet of EXPMON, they said to have found the vulnerability upon detection of a “highly sophisticated zero-day attack” targeted towards the users of Microsoft Office. This exploitation utilises logical flaws so that their operation will be reliable despite being dangerous. 

Nevertheless, it is highlighted that this zero-day attack can still be stopped if Microsoft Office runs through default system configurations. It means that the documents taken from the internet are accessed in Protected View or with Application Guard for Microsoft Office. It is developed to prevent malicious files in a compromised system from opening reliable resources. 

As a part of its patch, Microsoft is expected to release a security update upon the investigation’s completion. For now, as a part of their attack mitigation, they are encouraging users to disable all ActiveX controls in Internet Explorer. 

About the author

Leave a Reply