Microsoft warns of attacks targeting Office documents

3 years ago 294

Affecting Windows desktops and servers, the attacks exploit an MSHTML vulnerability by utilizing specially crafted Microsoft Office documents.

istock-1212785891.jpg

Image: iStock/Simonkolton

Microsoft has raised alarm bells implicit a caller cyberattack that's actively targeting Windows users by exploiting a information flaw done malicious Office documents. In a security update released connected Tuesday, the bundle elephantine described its probe into a distant codification execution vulnerability successful MSHTML that works done specially crafted Microsoft Office documents.

SEE: Incident effect policy (TechRepublic Premium)

"MSHTML is simply a constituent utilized by myriad applications connected Windows," said Jake Williams, co-founder and CTO astatine incidental effect steadfast BreachQuest. "If you've ever opened an exertion that seemingly 'magically' knows your proxy settings, that's apt due to the fact that it uses MSHTML nether the hood."

By exploiting this flaw, an attacker could devise a malicious ActiveX power utilized by an Office papers that hosts the browser's rendering engine. The attacker would person to person the idiosyncratic to unfastened the malicious document, apt sent via email. Users with much constricted accounts connected their computers could beryllium little susceptible than those with afloat administrative privileges.

The exploit affects each existent versions of Windows, including Windows 7, 8.1, and 10, arsenic good arsenic Windows Server 2008, 2012, 2016, 2019 and 2022.

No spot is yet disposable for this exploit. Microsoft said that aft completing its existent investigation, it whitethorn either supply a information update done its monthly merchandise rhythm oregon rotation retired an out-of-cycle update. In the meantime, Microsoft Defender Antivirus and Microsoft Defender for Endpoint some observe and support against this vulnerability. Users of either merchandise should marque definite they're up to date.

Further, Microsoft Office by default opens documents from the net successful Protected View oregon Application Guard for Office, some of which forestall the existent attack. Office users should marque definite that Protected View is enabled. To bash this, click the File paper successful immoderate Office exertion and prime Options. In the Options window, spell to Trust Center, click the fastener for Trust Center Settings and past prime Protected View.

In lieu of a patch, Microsoft does person a workaround. As described successful the information advisory, usage a substance exertion to make a .REG record with the pursuing strings:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

"1001"=dword:00000003

"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]

"1001"=dword:00000003

"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]

"1001"=dword:00000003

"1004"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

"1001"=dword:00000003

"1004"=dword:00000003

Save the record with the .reg extension. Double-click it to adhd it to the existing Registry.

"The bully quality is that this vulnerability is client-side and requires idiosyncratic interaction," said Casey Ellis, laminitis and CTO astatine cybersecurity level Bugcrowd. "A spot volition beryllium disposable soon. Unfortunately, that's the extremity of the bully news."

Ellis cautioned that the exploit complexity appears rather low, which means that attackers tin much readily instrumentality vantage of it. The interaction is precise high. And successful its weaponized form, the exploit could beryllium utilized successful antithetic types of attacks, including ransomware. Plus, adjacent erstwhile a spot becomes available, galore organizations whitethorn neglect to use that spot rapidly enough.

"The accordant situation with client-side vulnerabilities similar this 1 is that determination are a batch of systems that request to beryllium patched, which means they enactment disposable for exploitation to attackers for rather immoderate time," Ellis added.

Microsoft Weekly Newsletter

Be your company's Microsoft insider by speechmaking these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays

Sign up today

Also see

Read Entire Article