A zero-day Remote Code Execution attack targeting Office 365 and Office 2019 users has prompted Microsoft to issue a security advisory with a workaround to protect your network until a patch is available.
According to the security advisory released by Microsoft:
Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.
The vulnerability (tracked as CVE-2021-40444) in the MSHTML rendering engine can be exploited to achieve a Remote Code Execution by tricking the end user to open a Microsoft Office document that contains a malicious ActiveX control.
By default, Microsoft Office opens documents from the internet in Protected View, displaying a yellow banner at the top of the document to warn the user. In Protected View macros and ActiveX controls are disabled, so the attacker needs to convince the user to disable the protected view in order for the attack to proceed.
Organisation with an effective Security Awareness regime may be able to rely on their staff not to enable the malicious content. However, Microsoft has also published a workaround that disables the installation of all ActiveX controls in Internet Explorer in order to mitigate the attack until a fix is available for Office. Microsoft’s Defender Antivirus and Defender for Endpoint (build 1.349.22.0 and above) have been updated to block attempts to exploit CVE-2021-40444.