Since there are still no security patches for a Windows vulnerability that attackers are currently targeting, Microsoft advises administrators to secure systems with workarounds. But security researchers say these don’t provide reliable protection. The availability of exploit codes in hacker forums exacerbates the situation.
Attackers are currently attempting to infect Windows PCs with malicious code using prepared Office documents. Thanks to a security vulnerability (CVE-2021-40444 “top”) in Windows’ MSHTML HTML rendering engine, a Trojan horse could get into systems after opening such documents. A security patch for Windows 8.1-10 and Windows Server 2008-2019 is not yet available and will most likely arrive on this week’s patchday.
After opening prepared Office documents, ActiveX controls ensure that malicious code lands on computers. To prevent this, Microsoft advises administrators, in a warning message, to disable ActiveX for Internet Explorer. It was later found that such an attack can also be triggered through the document preview in Windows Explorer. Microsoft added another workaround to the warning message to disable ActiveX in Explorer as well.
In the meantime, however, security researchers report that such attacks are also possible without ActiveX. It is not yet clear how this works in detail. According to Microsoft, Office’s protection mechanism for opening files from unknown sources in safe mode should protect against these attacks. It is only when a victim authorizes the mounting that an attack can be successful.
For Office to open Word documents from the Internet in secure mode, the files must be marked as Mark of the Web (MoTW). This is usually the case when Office documents are uploaded directly. However, if such a document arrives in an archive, the MoTW tag is not assigned and the protection mechanism does not take effect, security researchers warn. In addition, the attacks would also work with prepared RTF documents, for which Safe Mode is not applicable.
According to entries from a hacker forum, the attackers have already optimized their exploit. In addition, there are relatively simple step-by-step instructions on how to create your own payload for attacks. This could lead to many free riders attacking Windows through the breach.
Antivirus scanners such as Microsoft Defender should detect and block the current exploit, security researchers say. However, attackers can change their code at any time, so antivirus software makers will again have to catch up.
Save my name, email and website in this browser for the next time I comment.