Microsoft Corp. warns that attackers are exploiting a previously unknown vulnerability in Windows 10 and many Windows Server versions to seize control over PCs when users open a malicious document or visit a booby-trapped website. There is currently no official patch for the flaw, but Microsoft has released recommendations for mitigating the threat.
According to a security advisory from Redmond, the security hole CVE-2021-40444 affects the “MSHTML” component of Internet Explorer (IE) on Windows 10 and many Windows Server versions. IE been slowly abandoned for more recent Windows browsers like Edge, but the same vulnerable component also is used by Microsoft Office applications for rendering web-based content.
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,” Microsoft wrote. “The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
Microsoft has not yet released a patch for CVE-2021-40444, but says users can mitigate the threat from this flaw by disabling the installation of all ActiveX controls in IE. Microsoft says the vulnerability is currently being used in targeted attacks, although its advisory credits three different entities with reporting the flaw.
On of the researchers credited — EXPMON — said on Twitter that it had reproduced the attack on the latest Office 2019 / Office 365 on Windows 10.
“The exploit uses logical flaws ..
Support the originator by clicking the read the rest link below.
