One of the methods most used by hackers to attack their victims’ computers is through malicious email attachments. These types of attacks are especially dangerous when targeting zero-day vulnerabilities. This is precisely what is happening with a recent campaign. This takes advantage of a bug not fixed by Microsoft to infect Windows computers through Office files.
It was Microsoft itself that has issued a warning that a remote code execution vulnerability is being actively exploited in its operating systems. The ruling, known as CVE-2021-40444, affects all versions of Windows 7, Windows 8 and Windows 10. And it also impacts Windows Server 2008 editions onwards. According to the company’s own report, the attack has a severity level of 8.8 on a scale of a maximum of 10.
What the attackers are doing is sending infected Office files in order for users to open them. In general, in order to persuade the victims, documents that appear to be legitimate are used. However, when someone opens the file, it automatically launches Internet Explorer and loads a malicious page with an ActiveX control that downloads malware that infects Windows.
Microsoft has yet to release a security patch
Photo by Windows on Unsplash
A group of researchers from cybersecurity companies, including EXPMON’s Haifei Li, informed Microsoft about the zero-day vulnerability last Sunday. The company has not been slow to respond that “they are investigating the reports” to release a patch. However, they have recognized the problem and have said that, in case of infection, users with limited accounts may be less affected than those with administrator privileges.
Microsoft notes that the attack cannot be carried out in case the infected Office file is opened in Protected View or Application Guard mode in Office 365. The former is a read-only feature. The second isolates the document in a secure environment and denies access to shared network resources and system files. However, it is advisable never open documents from untrusted sources.
The Redmond company recommends disabling ActiveX controls in Internet Explorer to prevent infection. But this is a task that requires modifying the Windows registry and restarting the computer. It also recommends keeping Microsoft Defender and Microsoft Defender for Endpoint updated, their own security solutions that, according to them, are capable of stopping the threat.