Microsoft has recognized a zero-day vulnerability in its proprietary web browser engine, known as MSHTML or Trident, used among others in Internet Explorer and the Office/365 productivity suite, which allows remote unauthorized code execution with full permissions. All versions of Windows 7, Windows 8, and Windows 10, as well as their server counterparts, are affected; Traces of ongoing exploits have been discovered online.
The attack vector is the good old infected Office file. A scammer can create an ActiveX control that will be interpreted by the browser integrated into Office; the user just needs to open the file to open the door to remote code execution. By themselves, Office and Windows 10 already provide some integrated security measures that allow you to foil the attack: just open the file in protected mode, or launch Office using Application Guard.
We reported our findings to Microsoft on Sunday and we’ve been working tirelessly through the holiday weekend to protect users. Microsoft has released a Security Advisory today for this breaking zero-day attack and acknowledged our findings. Read it here https://t.co/LlujjOSogw.
— EXPMON (@EXPMON_) September 7, 2021
Microsoft Defender antiviruses, among other things, are able to detect and neutralize the threat. By following the SOURCE link you can consult all Microsoft workarounds and detailed technical information. Microsoft said it is still completing investigations into the vulnerability but has confirmed it will take the necessary actions to close it. We do not know exactly what this means, but it is reasonable to hypothesize a correction in the course of the next Patch Tuesday – or even a specific patch, since the problem is considered quite serious not only by Microsoft (score of 8.8 out of 10) but also by independent researchers, who recreated the problem and confirmed the absolute reproducibility of the attack.
As hoped, Microsoft fixed the flaw with the release of Patch Tuesday. There are 66 corrected vulnerabilities, including, in fact, the one that days ago had endangered PCs with Windows 7, Windows 8 and Windows 10. The vulnerability is identified with the initials CVE-2021-40444 and also concerns Windows Server versions 2008 onwards.