Last Updated on September 10, 2021 by Calvin C.
Microsoft has given a warning of a zero-day flaw in Windows 10 and Windows Server (some versions). This flaw is being actively exploited by attackers using specially-crafted Microsoft Office documents.
Once a user visits a malicious website or opens a document that has been manipulated, the attacker can take complete control of the victim’s computer.
No official patch is yet in place as of writing this article, but after doing some digging I found out the fix could come as soon as September 14.
The vulnerability was documented by the Microsoft Security Response Center (MSRC) as CVE – 2021 – 40444, and it affects engines that power Internet Explorer and some parts of Microsoft Office programs.
That explains why Internet Explorer features in the subject since it’s an old browser that has now been replaced by Edge, .
The company did not hesitate to give an executive summary and an extract is as follows:
“Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.
An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
To allay any anxieties, Microsoft highlighted that Microsoft Defender Antivirus and Microsoft Defender for Endpoint can both detect and protect your computer against the vulnerability.
Microsoft advised users to keep their antimalware products up-to-date, an area I covered in an article on cyber hygiene. If you need a refresher on what you need to do to protect your systems from cyberattacks, that article is for you.
If your computer is set on auto-update, there is no need to do anything as the vulnerability is automatically patched in the next update.
This is not the first flaw that has haunted Microsoft, as this year (2021) Microsoft has been responding to zero-day threats almost on a monthly basis.
The company seems to be lagging behind in addressing glaring vulnerabilities with each successive update, and attackers can easily capitalize on any of them.
On another note, if you want privacy and security when browsing online, check out the best VPNs that I recommend.
Help us spread the awareness by sharing this article on social media. Subscribe to our newsletter to receive daily cybersecurity updates right in your inbox.