Microsoft issued a warning to Windows users on Tuesday that attackers are actively exploiting an unpatched remote execution zero-day vulnerability in MSHTML, a proprietary browser engine for the now-discontinued Internet Explorer using weaponized MS Office documents.
Tracked as CVE-2021-40444, the vulnerability affects Windows Server 2008 through 2019 and Windows 8.1 through 10 and has a severity level of 8.8 out of the maximum 10.
"Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents," the company said in a security advisory.
"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," it added.
ActiveX is a software framework from Microsoft that adapts its earlier Component Object Model and Object Linking and Embedding technologies for content downloaded from a network.
Microsoft credited researchers from EXPMON and Mandiant for reporting the flaw, although the company did not provide further details about the nature of the attacks, the identity of the adversaries exploiting this zero-day, or their targets in light of real-world attacks.
The researchers at EXPMON stated they discovered the issue after detecting a "highly sophisticated zero-day attack" directed at Microsoft Office users, adding they shared the findings with Microsoft on Sunday. "The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous)," EXPMON researchers said.
However, the risk can be mitigated if Microsoft Office operates with default configurations, wherein documents downloaded from the web are opened in Protected View or Application Guard for Office, which is designed to prevent untrusted files from accessing trusted resources in the compromised system.
Microsoft, upon completion of the investigation, is expected to publish a security patch or an out-of-cycle security update as part of its Patch Tuesday monthly release cycle "depending on customer needs." In the interim, the Windows maker is advising users and organizations to disable all ActiveX controls in Internet Explorer to mitigate any potential threat.